Communicating with an inside DC from DMZ

Answered Question
Mar 31st, 2010
User Badges:

We have a DMZ with a couple servers parked inside. We would like them to receive or get group policy updates. I cannot seem to get that to happen. The DC is on the inside while the server needing the update is in the DMZ. I have the ACL on the DMZ set to permit the server in question to go to the inside (source = dmz server, destination = domain controller, service = tcp, udp).

From the DMZ I can ping the domain controller, browse to it in explorer, and scan it with nMap, but I cannot seem to do a GP update or add it do the domain.

What am I doing wrong?

Thanks.

Correct Answer by Federico Coto F... about 7 years 2 months ago

Hi,


In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.


Assuming x.x.x.x is the real IP of the DC:

static (in,DMZ) x.x.x.x x.x.x.x

access-list DMZ permit ip any host x.x.x.x

access-group DMZ in interface DMZ


You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.

Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.


If still does not work you can do two good tests on the ASA:


access-list cap-dmz permit ip host y.y.y.y host x.x.x.x

access-list cap-dmz permit ip host x.x.x.x host y.y.y.y

capture cap-dmz access-list cap-dmz in interface DMZ


access-list cap-in permit ip host y.y.y.y host x.x.x.x

access-list cap-in permit ip host x.x.x.x host y.y.y.y

capture cap-in access-list cap-in in interface inside


Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)


The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Wed, 03/31/2010 - 11:02
User Badges:
  • Green, 3000 points or more

Hi,


In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.


Assuming x.x.x.x is the real IP of the DC:

static (in,DMZ) x.x.x.x x.x.x.x

access-list DMZ permit ip any host x.x.x.x

access-group DMZ in interface DMZ


You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.

Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.


If still does not work you can do two good tests on the ASA:


access-list cap-dmz permit ip host y.y.y.y host x.x.x.x

access-list cap-dmz permit ip host x.x.x.x host y.y.y.y

capture cap-dmz access-list cap-dmz in interface DMZ


access-list cap-in permit ip host y.y.y.y host x.x.x.x

access-list cap-in permit ip host x.x.x.x host y.y.y.y

capture cap-in access-list cap-in in interface inside


Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)


The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.


Federico.

oneirishpollack Thu, 04/01/2010 - 05:31
User Badges:

I did not have the NAT translation.


Right now I have a permit for all TCP/UPD traffic from the DMZ server to the DC. I know I need to tighten this down. For GP access, what services need to be permitted?


I mean it is crazy to have  all TCP/UDP open for a machine in the DMZ to the DC right?

Federico Coto F... Thu, 04/01/2010 - 09:07
User Badges:
  • Green, 3000 points or more

I'm not 100% sure about the port, I believe is TCP 135.


Anywway, if you enable logs on the Firewall, you can see the transactions between the servers and it will show the port in used. In this way you restrict the ACL because you're correct, is not a good idea having TCP/UDP open.


Federico.

Actions

This Discussion