We are running an ASA 5510 w/ 8.0(3) code that is isolating vendor systems from our network. We have an enterprise AD structure and the vendor has an internal AD structure for their system. Their systems exist on our network in a non-routed VLAN and the ASA has an interface inside that VLAN for traffic. If I disable the ASA interface, all connectivity within the VLAN functions normally (and I stress within the VLAN). If I enable the interface, the devices can no longer authenticate nor map network shares within the VLAN. A packet capture finds master browser elections that no one answers while the interface is enabled but the AD server answers when the interface is off. I have tried denying all traffic across the interface and even allowing all traffic. NETBIOS inspect, DNS inspect are turned on in the default inspect policy. Yes, the allow traffic between hosts on the same interface is enable as well. All the devices are physically connected to the same switch and exists in the same VLAN. Please forgive the lack of logs at this moment, I can't access them from home but will add in another post tomorrow. Any guidance or suggestions to look for is appreciated.
First regarding AD, i have had more than my share of this lately with my clients ;)
Please explain more about the relationship with the AD connections?
Are your servers multi-homed in their DMZ with dual-nics?
Could their be a simple IP conflict between the ASA (include nat's as ARP plays into this) and their servers? How have you checked this? look at arp -a on the servers... make sure you dont have arp entries for servers coming back to the ASA's mac address...
have you setup a trust between your servers? one-way? two-way?
What does eventvwr show? who error messages?
please give us these answers and we can continue helping you solve this?
Would you be open to me coming in with you on webex and helping you solve this?
The two AD's mentioned are completely seperate, no trusts, no DMZ, no nothing. Their AD is in place to authenticate their workstations to their db server. Another system within their setup sends data to two specific systems on the private side of our network. I haven't looked at the arps' on their server but I can and will. We assigned the ip range for their systems and we check for duplicates before assigning them, but who knows.
The vendor server (and workstations) event logs sho very generic and non-descript error messages relating to SMB errors.
Sadly, the powers that be in my workplace do not allow Webex unless it is written in as support on a contract :(
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...