DC and ADC Synchronization through ASA 5580

rajeeshp · ‎03-29-2010

Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA. The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error. Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface. Any clue wht could be the problem ?

Jennifer Halim · ‎03-29-2010

When you say there is no NATing, where is the traffic to and from? High security level interface to low, or low security level interface to high?

rajeeshp · ‎03-29-2010

Both are with the same security level and I have

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

configured on the ASA.

Jennifer Halim · ‎03-29-2010

OK, but you still need to configure static NAT to itself eventhough same-security-traffic permit inter-interface has been configured as that is for the ACL, not for NAT.

rajeeshp · ‎03-29-2010

To add to my previous post; I can ping the DC from the ADC, there is no basic communication issue. Network reachability is there.

rajeeshp · ‎03-29-2010

to take care about the NAT i have 'no nat-control'

Jennifer Halim · ‎03-29-2010

1) Please check the syslog to see if it's being blocked by the firewall.

2) Run packet capture on both interfaces with ACL just between the DC and ADC:

access-list cap-test permit ip host host

capture cap-DC access-list cap-test interface

capture cap-ADC access-list cap-test interface

Try the "DCPROMO", and check the packet capture to see where it is breaking.

kloc_marek · ‎04-11-2010

Probably, dcerpc inspection drop some comunication. Try "sh policy-map" and search in dcerpc section, number of drop packet.