I have an ASA series appliance (8.2 I believe), and I am trying to get active directory to work across this appliance in routed mode.
- I have a workstation that is on the outside (192.168.70.151 subnet) and 2 redundant active directory controllers that are on the inside (192.168.3.101 and .3.102).
- I have static NAT set up, and the firewall rules open for any any ip and any any icmp.
- I have DNS rewrite enabled on my static NAT rules for the workstation and 2 ADCs
- I can successfully ping the ADCs from the workstation and vice versa across the NAT
What I can't seem to do, is join the computer to the domain. When I attempt to do this, I can see DNS traffic in my ADM log (port 53), and the error message I get on the workstation shows that the workstation was able to successfully query the DNS record to obtain the NetBIOS names of the 2 ADCs. However, I cannot join this workstation to the domain (I the error message says that either the domain controllers are not active, or that their IP address records in the DNS are not correct).
Maybe the IP address records from the DNS are their real 192.168.2.101 and 192.168.2.102 addresses, and thus the workstation can't reach them?
Has anyone encountered this situation before? Microsoft does not support this configuration, so any help would be GREATLY appreciated.
So I was able to set up the NAT in this way, and all traffic appears to be flowing through the firewall, but the workstation is still not registering with the domain. After much research on Microsoft's website, it turns out that I will not be able to join this workstation to the domain because of some NetBIOS limitations and the fact that my ADCs are multi-homed.
Is there a way to put 2 interfaces on the ASA appliance on the same subnet when it is in routed mode? If I could do that, then this external workstation would stay on the same subnet, alleviating the domain registration problem.
I know I can do this in transparent mode, but the firewall is performing some other features that it must be in routed mode for.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...