Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Communicating with an inside DC from DMZ

We have a DMZ with a couple servers parked inside. We would like them to receive or get group policy updates. I cannot seem to get that to happen. The DC is on the inside while the server needing the update is in the DMZ. I have the ACL on the DMZ set to permit the server in question to go to the inside (source = dmz server, destination = domain controller, service = tcp, udp).

From the DMZ I can ping the domain controller, browse to it in explorer, and scan it with nMap, but I cannot seem to do a GP update or add it do the domain.

What am I doing wrong?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Communicating with an inside DC from DMZ

Hi,

In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.

Assuming x.x.x.x is the real IP of the DC:

static (in,DMZ) x.x.x.x x.x.x.x

access-list DMZ permit ip any host x.x.x.x

access-group DMZ in interface DMZ

You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.

Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.

If still does not work you can do two good tests on the ASA:

access-list cap-dmz permit ip host y.y.y.y host x.x.x.x

access-list cap-dmz permit ip host x.x.x.x host y.y.y.y

capture cap-dmz access-list cap-dmz in interface DMZ

access-list cap-in permit ip host y.y.y.y host x.x.x.x

access-list cap-in permit ip host x.x.x.x host y.y.y.y

capture cap-in access-list cap-in in interface inside

Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)

The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.

Federico.

3 REPLIES

Re: Communicating with an inside DC from DMZ

Hi,

In order to communicate from the DMZ to the Inside DC, all you need is the STATIC NAT and ACL.

Assuming x.x.x.x is the real IP of the DC:

static (in,DMZ) x.x.x.x x.x.x.x

access-list DMZ permit ip any host x.x.x.x

access-group DMZ in interface DMZ

You say that you have connectivity to the DC from the DMZ, so the above statements should be correct.

Is there an ACL applied to the inside interface of the ASA? If so, you need to make sure that it allowed the desired traffic.

If still does not work you can do two good tests on the ASA:

access-list cap-dmz permit ip host y.y.y.y host x.x.x.x

access-list cap-dmz permit ip host x.x.x.x host y.y.y.y

capture cap-dmz access-list cap-dmz in interface DMZ

access-list cap-in permit ip host y.y.y.y host x.x.x.x

access-list cap-in permit ip host x.x.x.x host y.y.y.y

capture cap-in access-list cap-in in interface inside

Then capture the packets when attempting the communication, so we can see from Wireshark or a sniffer tool exactly all the transactions between both devices. (Assuming y.y.y.y is the IP of a server on the DMZ interface)

The other test is to use the Packet Tracer utility from ASDM or CLI on the ASA to simulate the communication on the right ports and that will show us if any process on the ASA is blocking the connection.

Federico.

New Member

Re: Communicating with an inside DC from DMZ

I did not have the NAT translation.

Right now I have a permit for all TCP/UPD traffic from the DMZ server to the DC. I know I need to tighten this down. For GP access, what services need to be permitted?

I mean it is crazy to have  all TCP/UDP open for a machine in the DMZ to the DC right?

Re: Communicating with an inside DC from DMZ

I'm not 100% sure about the port, I believe is TCP 135.

Anywway, if you enable logs on the Firewall, you can see the transactions between the servers and it will show the port in used. In this way you restrict the ACL because you're correct, is not a good idea having TCP/UDP open.

Federico.

374
Views
0
Helpful
3
Replies
CreatePlease to create content