cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
896
Views
0
Helpful
3
Replies

Communicating with an inside DC from DMZ

oneirishpollack
Level 1
Level 1

We have a DMZ with a couple servers parked inside. We would like them to receive or get group policy updates. I cannot seem to get that to happen. The DC is on the inside while the server needing the update is in the DMZ. I have the ACL on the DMZ set to permit the server in question to go to the inside (source = dmz server, destination = domain controller, service = tcp, udp).

From the DMZ I can ping the domain controller, browse to it in explorer, and scan it with nMap, but I cannot seem to do a GP update or add it do the domain.

What am I doing wrong?

Thanks.

1 Accepted Solution

Accepted Solutions

Hi,

In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.

Assuming x.x.x.x is the real IP of the DC:

static (in,DMZ) x.x.x.x x.x.x.x

access-list DMZ permit ip any host x.x.x.x

access-group DMZ in interface DMZ

You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.

Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.

If still does not work you can do two good tests on the ASA:

access-list cap-dmz permit ip host y.y.y.y host x.x.x.x

access-list cap-dmz permit ip host x.x.x.x host y.y.y.y

capture cap-dmz access-list cap-dmz in interface DMZ

access-list cap-in permit ip host y.y.y.y host x.x.x.x

access-list cap-in permit ip host x.x.x.x host y.y.y.y

capture cap-in access-list cap-in in interface inside

Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)

The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.

Federico.

View solution in original post

3 Replies 3

Hi,

In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.

Assuming x.x.x.x is the real IP of the DC:

static (in,DMZ) x.x.x.x x.x.x.x

access-list DMZ permit ip any host x.x.x.x

access-group DMZ in interface DMZ

You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.

Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.

If still does not work you can do two good tests on the ASA:

access-list cap-dmz permit ip host y.y.y.y host x.x.x.x

access-list cap-dmz permit ip host x.x.x.x host y.y.y.y

capture cap-dmz access-list cap-dmz in interface DMZ

access-list cap-in permit ip host y.y.y.y host x.x.x.x

access-list cap-in permit ip host x.x.x.x host y.y.y.y

capture cap-in access-list cap-in in interface inside

Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)

The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.

Federico.

I did not have the NAT translation.

Right now I have a permit for all TCP/UPD traffic from the DMZ server to the DC. I know I need to tighten this down. For GP access, what services need to be permitted?

I mean it is crazy to have  all TCP/UDP open for a machine in the DMZ to the DC right?

I'm not 100% sure about the port, I believe is TCP 135.

Anywway, if you enable logs on the Firewall, you can see the transactions between the servers and it will show the port in used. In this way you restrict the ACL because you're correct, is not a good idea having TCP/UDP open.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: