We have a DMZ with a couple servers parked inside. We would like them to receive or get group policy updates. I cannot seem to get that to happen. The DC is on the inside while the server needing the update is in the DMZ. I have the ACL on the DMZ set to permit the server in question to go to the inside (source = dmz server, destination = domain controller, service = tcp, udp).
From the DMZ I can ping the domain controller, browse to it in explorer, and scan it with nMap, but I cannot seem to do a GP update or add it do the domain.
What am I doing wrong?
In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.
Assuming x.x.x.x is the real IP of the DC:
static (in,DMZ) x.x.x.x x.x.x.x
access-list DMZ permit ip any host x.x.x.x
access-group DMZ in interface DMZ
You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.
Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.
If still does not work you can do two good tests on the ASA:
access-list cap-dmz permit ip host y.y.y.y host x.x.x.x
access-list cap-dmz permit ip host x.x.x.x host y.y.y.y
capture cap-dmz access-list cap-dmz in interface DMZ
access-list cap-in permit ip host y.y.y.y host x.x.x.x
access-list cap-in permit ip host x.x.x.x host y.y.y.y
capture cap-in access-list cap-in in interface inside
Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)
The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.