03-31-2010 10:37 AM - edited 03-11-2019 10:27 AM
We have a DMZ with a couple servers parked inside. We would like them to receive or get group policy updates. I cannot seem to get that to happen. The DC is on the inside while the server needing the update is in the DMZ. I have the ACL on the DMZ set to permit the server in question to go to the inside (source = dmz server, destination = domain controller, service = tcp, udp).
From the DMZ I can ping the domain controller, browse to it in explorer, and scan it with nMap, but I cannot seem to do a GP update or add it do the domain.
What am I doing wrong?
Thanks.
Solved! Go to Solution.
03-31-2010 11:02 AM
Hi,
In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.
Assuming x.x.x.x is the real IP of the DC:
static (in,DMZ) x.x.x.x x.x.x.x
access-list DMZ permit ip any host x.x.x.x
access-group DMZ in interface DMZ
You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.
Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.
If still does not work you can do two good tests on the ASA:
access-list cap-dmz permit ip host y.y.y.y host x.x.x.x
access-list cap-dmz permit ip host x.x.x.x host y.y.y.y
capture cap-dmz access-list cap-dmz in interface DMZ
access-list cap-in permit ip host y.y.y.y host x.x.x.x
access-list cap-in permit ip host x.x.x.x host y.y.y.y
capture cap-in access-list cap-in in interface inside
Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)
The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.
Federico.
03-31-2010 11:02 AM
Hi,
In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.
Assuming x.x.x.x is the real IP of the DC:
static (in,DMZ) x.x.x.x x.x.x.x
access-list DMZ permit ip any host x.x.x.x
access-group DMZ in interface DMZ
You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.
Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.
If still does not work you can do two good tests on the ASA:
access-list cap-dmz permit ip host y.y.y.y host x.x.x.x
access-list cap-dmz permit ip host x.x.x.x host y.y.y.y
capture cap-dmz access-list cap-dmz in interface DMZ
access-list cap-in permit ip host y.y.y.y host x.x.x.x
access-list cap-in permit ip host x.x.x.x host y.y.y.y
capture cap-in access-list cap-in in interface inside
Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)
The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.
Federico.
04-01-2010 05:31 AM
I did not have the NAT translation.
Right now I have a permit for all TCP/UPD traffic from the DMZ server to the DC. I know I need to tighten this down. For GP access, what services need to be permitted?
I mean it is crazy to have all TCP/UDP open for a machine in the DMZ to the DC right?
04-01-2010 09:07 AM
I'm not 100% sure about the port, I believe is TCP 135.
Anywway, if you enable logs on the Firewall, you can see the transactions between the servers and it will show the port in used. In this way you restrict the ACL because you're correct, is not a good idea having TCP/UDP open.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: