Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Domain Authentication through an ASA

Hello.

Basically this is my setup.

DMZ - 10.10.xxx.xxx

Private - 192.168.xx.xxx

Outside - 66.38.xxx.xxx

I have my new domain controller on the Private network where I house my database servers. I am trying to get my webservers from DMZ to authenticate through my ASA 5520 to the new domain controller on the Private side... I have tried a few things but haven't had any luck, does anyone know an easy way of explaining this configuration on the firewall, or have a document that could help me out?

Thanks,

Chris

7 REPLIES
Community Member

Re: Domain Authentication through an ASA

Hi,

What is the security level of DMZ and Private interfaces? do you have any ACL's on these interfaces inbound/outbound? what is protocol/port used by Webserver to authenticate to the DC?

Re: Domain Authentication through an ASA

Chris, if I understand, DC in inside and webserver in DMZ , what does your access list look like can you post.. you may need to open up some tcp and udp ports, create a service object group with these ports, tcp/udp 445, 88,389,53 you may also need netbios ports for file directory access.

refer to this link for ports required,

you may also look into spcific ports in microsoft website knowledbase.

http://www.jarmanator.net/kb/server2k3fwports.htm

http://technet2.microsoft.com/windowsserver/WSS/en/library/5b000a77-471a-400d-b446-aa68a9526f3e1033.mspx?mfr=true

this example is for just DNS tcp port

assume DC IP: 192.168.1.20

DMZ host IP : 10.10.10.1

static(inside,DMZ) 10.10.10.1 192.168.1.20 netmask 255.255.255.255

access-list DMZ_access_in permit tcp host 10.10.10.1 host 192.168.1.20 eq 53

access-group DMZ_access_in in interface DMZ

apply same principle when you create tcp udp services object group.

HTH

Jorge

Community Member

Re: Domain Authentication through an ASA

Hi Jorge,

Thanks for the response, I have attached a copy of my current ACLs loaded on the device, your post has already given me a great deal to work with, but hopefully you can take a look and determine a bit more of what I need for this setup.

Thanks

Chris

Community Member

Re: Domain Authentication through an ASA

Forgot to add these lines to my configuration doc.

access-group OUT66 in interface Outside66

access-group DMZ in interface DMZ

Community Member

Re: Domain Authentication through an ASA

After doing some research and looking into a few things I assume that this is what I need to add.

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255

Following the same format, I will add more ACL entries for the other protocols used by Active Directory to allow my host(s) to access the Domain Controller on the Inside

Does that config look as though it will work? I am having some major issues with this configuration because we do not have a test environment and I cant afford any downtime on my firewall, my deadline for testing is coming up soon, any review/comments would be appreciated.

Thanks in advance,

Chris

Community Member

Re: Domain Authentication through an ASA

I am adding my configuration and testing this Monday. I have come up with this so far:

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 53

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 445

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 445

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 88

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 88

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit udp host 10.10.xxx.xxx host 192.168.x.xxx eq 389

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 636

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 1025

access-list DMZ permit tcp host 10.10.xxx.xxx host 192.168.x.xxx eq 3268

static (Inside,DMZ) 10.10.xxx.xxx 192.168.x.xxx netmask 255.255.255.255

As I mentioned I have to add this configuration and test in my LIVE environment on Monday, if anyone could review my initial ACL configuration from the document I posted, and asses my new additions to tell me if this will work as planned I would appreciate it.

Thanks,

Chris

Community Member

Re: Domain Authentication through an ASA

My old post with the config expired, here it is.

309
Views
0
Helpful
7
Replies
CreatePlease to create content