03-29-2010 04:41 AM - edited 02-21-2020 03:54 AM
Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA. The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error. Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface. Any clue wht could be the problem ?
03-29-2010 04:46 AM
When you say there is no NATing, where is the traffic to and from? High security level interface to low, or low security level interface to high?
03-29-2010 04:54 AM
Both are with the same security level and I have
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
configured on the ASA.
03-29-2010 04:58 AM
OK, but you still need to configure static NAT to itself eventhough same-security-traffic permit inter-interface has been configured as that is for the ACL, not for NAT.
03-29-2010 04:58 AM
To add to my previous post; I can ping the DC from the ADC, there is no basic communication issue. Network reachability is there.
03-29-2010 05:00 AM
to take care about the NAT i have 'no nat-control'
03-29-2010 05:13 AM
1) Please check the syslog to see if it's being blocked by the firewall.
2) Run packet capture on both interfaces with ACL just between the DC and ADC:
access-list cap-test permit ip host
access-list cap-test permit ip host
capture cap-DC access-list cap-test interface
capture cap-ADC access-list cap-test interface
Try the "DCPROMO", and check the packet capture to see where it is breaking.
04-11-2010 12:21 PM
Probably, dcerpc inspection drop some comunication. Try "sh policy-map" and search in dcerpc section, number of drop packet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide