Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA: How to allow active directory to traverse outside and inside?

I am attempting to get AD to cooperate from a parent domain on the outside of the ASA to a child domain on the inside of the ASA.

So far when I first setup the child domain all is well (assuming because the inside server is initiating the chatter) but after a little while (not sure of time frame) AD stops synching and get errors on the servers about such.

7 REPLIES

Re: ASA: How to allow active directory to traverse outside and i

This is just off the top of my head, but you'll need LDAP, DNS, and Kerberos opened up. If you want filing browsing, you'll have to open RPC all ports >1024 and 137-139, & 445. You have a couple of other options though. You can use an IPSec tunnel between the two servers and/or RPC over HTTPS.

Hope that helps.

Community Member

Re: ASA: How to allow active directory to traverse outside and i

I will try to illustrate my setup here.

Internet----ASA1--Domain1

|

|

ASA2--Domain1.1

I'll post my configs from both ASAs later today.

Community Member

Re: ASA: How to allow active directory to traverse outside and i

I would recommend using an IPSEC tunnel for this if possible.

The following link shows a list of required ports

http://technet.microsoft.com/en-us/library/bb727063.aspx

HTH

Steve

Re: ASA: How to allow active directory to traverse outside and i

Nice link Steve, thanks.

Community Member

Re: ASA: How to allow active directory to traverse outside and i

I have attempted this, but all I get when I ping is negotiating IP security.

I think this should be working but I'm obviously missing something.

Community Member

Re: ASA: How to allow active directory to traverse outside and i

If you are able to, please post your configs for us to review.

Thanks

Steve

Community Member

Re: ASA: How to allow active directory to traverse outside and i

Here my 2 configs.

Outside is the ASA connected to Internet, inside is the ASA on the inside interface of the outside ASA.

There are 3 AD servers on the inside interface of the outside ASA, and there are 2 AD servers on the inside interface of the inside ASA. all 5 of these servers need to speak AD to each other.

885
Views
7
Helpful
7
Replies
CreatePlease to create content