Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DC and ADC Synchronization through ASA 5580

Hi , I have a Windows 2008 server acing as DC connected to one of the interface of ASA 5580, and have couple of ADC in the branches which are connected to different interfaces of ASA.  The routing is happening through the ASA. When trying to do DCPROMO on the ADC it’s giving an error.  Natting is not there in the ASA and I have access-list configured for “Permit IP Any any ” for all interface.  Any clue wht could be the problem ?

7 REPLIES
Cisco Employee

Re: DC and ADC Synchronization through ASA 5580

When you say there is no NATing, where is the traffic to and from? High security level interface to low, or low security level interface to high?

New Member

Re: DC and ADC Synchronization through ASA 5580

Both are with the same security level and I have

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

configured on the ASA.

Cisco Employee

Re: DC and ADC Synchronization through ASA 5580

OK, but you still need to configure static NAT to itself eventhough same-security-traffic permit inter-interface has been configured as that is for the ACL, not for NAT.

New Member

Re: DC and ADC Synchronization through ASA 5580

To add to my previous post;  I can ping the DC from the ADC, there is no basic communication issue.  Network reachability is there.

New Member

Re: DC and ADC Synchronization through ASA 5580

to take care about the NAT i have 'no nat-control'

Cisco Employee

Re: DC and ADC Synchronization through ASA 5580

1) Please check the syslog to see if it's being blocked by the firewall.

2) Run packet capture on both interfaces with ACL just between the DC and ADC:

access-list cap-test permit ip host host

access-list cap-test permit ip host host

capture cap-DC access-list cap-test interface

capture cap-ADC access-list cap-test interface

Try the "DCPROMO", and check the packet capture to see where it is breaking.

New Member

Re: DC and ADC Synchronization through ASA 5580

Probably, dcerpc inspection drop some comunication. Try "sh policy-map" and search in dcerpc section, number of drop packet.

742
Views
0
Helpful
7
Replies
CreatePlease to create content