Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure access-list for PC in DMZ to authenticate to AD


I have a Windows PC in our DMZ that I need to athenticate to our Active Directory. I have seen several lists of different ports that I need to allow through, but they all refer to replication etc. which I don't need: I just want to authenticate! I hope the list just to allow authentication is shorter than any of the lists I've come across so far. If you have a short list of ports, or even a long list if that's really what I need, please let me have it.



New Member


This will depend on your configuration but from what I remember the process is broken out into two sections. Name Resolution and Authentication.

So are you using DNS or WINS (DNS hopefully )?

If you are using WINS you should have to open 137-139.

If you are using DNS you should be able to get away with 53 and 445.

Can anyone else confirm or correct this?

New Member

I've seen the following included in some ACLs that segment machines in a DMZ from your AD. Sometimes they'll also want to be able to ping the AD servers so you may need ICMP echo opened up as well.



TCP RPC - 135

TCP SMB - 445

TCP LDAP GC - 3268

UDP DNS - 53

New Member

The list posted by Eli is what I use, Add TCP 1025 & 1026 -- you should be good to go.

Also one option is to deny everything and attempt a login from the PC and watch the ASDM debugging screen and start opening up the ports on our lists until you get what you are looking for.

New Member

Thanks guys.

Sorry for the delay in replying, but I've been out of the office and these pages are impossible to read/navigate on my PDA!

So, yes John, we are using DNS.

Eli: your list is about as long as others I've seen, but I was hoping for a shorter list .

Leon: I've not used ASDM, and having done a quick search for it, found a demo version, so I'm guessing I'd have to buy it. As we have just 2 PIXs, that feels like over-kill and my boss is really tight!

Anyway, I'll give it a go and report back...

New Member


Give it a shot with just DNS (UDP & TCP) and 445 (TCP). I think you should be able to get away with just those in your situation.