Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cisco asa stopping PC from joining domain?


I have a windows NT domain controller and windows NT PC, I want to join the PC to the domain (with a cisco asa 5512-x in between)

both the domain controller and NT PC are connected directly to the firewall and on the same security level too (its set up for offline testing at the minute), and communication between interfaces on security levels is enabled

I can ping from domain controller to NT PC successfully and vice verse, However when I try to join the NT PC to the domain, it wont let me, keeps saying 'the domain controller for this domain can not be located'


If I bypass the firewall, the domain can be joined no problem.


I dont have any ACL created as both PCs are on the same side of the firewall and on the same security level

Hope I have made myself understood



What is the DNS situation?  I

What is the DNS situation?  I don't recall about NT4, but recent windows clients want to find forest domain controllers by querying DNS for SRV records.  If the client is on-link, it might fall back to link-local multicast DNS, but that AVAHI stuff won't typically cross a routed firewall interface.  The server needs to have registered itself with its DNS server to create the SRV records, the client needs to have a default gateway and DNS server, and it helps if the client's subnet is assigned to a site in active directory sites & services.  E.g.


   > set querytype=SRV

   > _kerberos._tcp.YOUR.DOMAIN.HERE



Plus the firewall needs to permit a lot of UDP and TCP ports to communicate between the client and server, including ports like 88, 135-139, 384, 445, 464, 636, 3268 etc.  If you have no access-groups applied to the interfaces, you may need one or both of:

    same-security-traffic permit inter-interface

    same-security-traffic permit intra-interface

Personally, I recommend at least ingress ACL's on all interfaces, ignoring the security levels.


-- Jim Leinweber, WI State Lab of Hygiene

New Member

Thanks for your reply Jim The

Thanks for your reply Jim


The domain controller is acting as DNS server and WINS server as well

I will try the permit the ports you mentioned above see if that ll make any difference