?
Solved

RPC Server issues w/ Cisco ASA5510 and PIX501 Site to Site.....

Posted on 2006-04-02
16
Medium Priority
?
2,287 Views
Last Modified: 2012-06-21
I am pulling my hair out on this one.  My company has merged with another company and their sites.  My company had recently upgraded all of its equipment hence we would migrate their sites to ours.  Here is my issue.

We moved all of mail services to Domain A.  We were trying to create a 2-Way trust between the DC on Domain A to the DC on Domain B.  The Exchange Server on Domain A would handle all the mail for both sites.  Using the "Associated with an External Account" to match Domain A Exchange Mailboxes to Domain B Accounts.  The trouble began when we tried to create the trusts.  It would just hang.  Everytime we tried to Associate Domain B account to a Domain A Mailbox it would hang.  I think I have a issue with the VPN not allowing all RPC traffic through.  Anyway my site and Cisco info below..

Anyones help will be much appreciated.
Thank you in advanced.
Etikigaq

Site Layouts:
Domain A - Windows 2003 R2 DC, Windows 2003 R2 w/ Exchange 2003 Sp2, Windows 2003 R2 (Running terminal services), behind Cisco ASA5510
Domain B - Windows 2003 R2, behind Cisco PIX501

WAN Layout:
Domain A - ASA5510 - 2mb/2mb - Internet - 1mb/1mb - PIX501 - Domain B

Domain A
ASA5510 Config:
ASA Version 7.0(4)
!
hostname Domain A
domain-name DomainA.LOCAL
enable password xxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.210 255.255.255.240
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address x.x.0.20 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
clock timezone PCST -8
clock summer-time PCDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Outside_cryptomap_20_1 extended permit ip x.x.0.0 255.255.255.0 x.x.4.0 255.255.255.0
access-list acl-out extended permit tcp any host x.x.x.211 eq 3389
access-list acl-out extended permit tcp any host x.x.x.220 eq www
access-list acl-out extended permit tcp any host x.x.x.215 eq smtp
access-list inside_outbound_nat0_acl extended permit ip x.x.0.0 255.255.255.0 x.x.4.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RDP x.x.0.200-x.x.0.220 mask 255.255.255.0
no failover
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list inside_outbound_nat0_acl
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp x.x.x.211 3389 x.x.0.10 3389 netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.215 smtp x.x.0.5 smtp netmask 255.255.255.255
static (Inside,Outside) tcp x.x.x.220 www x.x.0.5 www netmask 255.255.255.255
access-group acl-out in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password xxxxxxxxxxxxx encrypted privilege 15
http server enable
http x.x.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set peer x.x.x.x
crypto map Outside_map 20 set transform-set ESP-DES-SHA
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
telnet timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server Outside x.x.x.x /
webvpn
 enable Outside
 nbns-server x.x.0.1 master timeout 2 retry 2
 authorization-server-group LOCAL
 authorization-required
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Domain B
PIX501 Config:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname Domain B
domain-name domainb.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.0.0 domaina
access-list inside_outbound_nat0_acl permit ip x.x.4.0 255.255.255.0 domaina 255.255.255.0
access-list outside_cryptomap_20 permit ip x.x.4.0 255.255.255.0 domaina 255.255.255.0
access-list acl-out permit tcp any host x.x.x.1 eq 3389
pager lines 24
logging console debugging
mtu outside 1460
mtu inside 1460
ip address outside pppoe setroute
ip address inside x.x.4.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.1 3389 x.x.4.1 3389 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http Domain A 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside x.x.x.248 /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.210
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.210 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup tts_vpn idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group domainb request dialout pppoe
vpdn group domainb localname XXXXXXXXXXXXXXXXXXXX
vpdn group domainb ppp authentication pap
vpdn username XXXXXXXXXXXXXXXX password *********
dhcpd dns 198.51.13.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
0
Comment
Question by:etikigaq
  • 9
  • 4
  • 3
16 Comments
 

Author Comment

by:etikigaq
ID: 16358335
More notes...

Validate trust results:
Domain A -> Domain B (both incoming and outgoing) Successful!
Domain B -> Domain A (both incoming and outgoing) Failed!  Error Below
Error:
Active Directory
The account does not have administrative privileges on the domain DomainA.local.  The error is The RPC server is unavailable.
The trust cannot be validated.

The account used is the administrator account for Domain A.
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16380661
http://www.dslreports.com/drtcp

take all servers that need to talk using sites and services connectors, and lower thier MTU to 1300, reboot, test

Change all sites and services connections that will be WAN based to IP, make sure they are not RPC.

remove SMTP fixup on routers, it is on the inside interface and therefore interferes with VPN traffic.

I just did one like this
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16388187
ASA5510 has all interfaces set MTU 1500
PIX 501 has all interfaces set MTU 1460

Is the 501 sitting behind a DSL connection?
It is this mismatch of MTU sizes that is the crux of the issue.
carl has the right answer and that is to set all the servers to use a max MTU of 1300

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 18

Expert Comment

by:carl_legere
ID: 16388452
I guess MS uses an extened command set in SMTP (when we're talking SMTP TO SMTP both exchange servers) and it sometimes tries to make big packets and some get lost if there is a MTU mismatch.  Seems costly for performace to lower the MTU drasticly, but if it works it works.
0
 

Author Comment

by:etikigaq
ID: 16388907
All of the servers are set to a MTU of 1300.  Dynamic RPC has been set to use ports 5000-5100.
http://support.microsoft.com/kb/154596 .  Is there something I need to do on firewall?  

Change all sites and services connections that will be WAN based to IP, make sure they are not RPC. ?  Don't Know how to do this.

There is no Inspect for smtp on the ASA, I removed it from the PIX.

ASA5510 has all interfaces set MTU 1500
PIX 501 has all interfaces set MTU 1460 "Has been changed back to 1500.  Minor mistake."

Is the 501 sitting behind a DSL connection? "YES, both sides are"

Good news is that we can now Validate trust from both sides.
Bad news we still can't share files, Associate Accounts from Domain B to Domain A mailboxes.  It just freezes and hangs

thank you for the responses..


0
 

Author Comment

by:etikigaq
ID: 16388912
BTW only one Exchange Server in the mix.

Site Layouts:
Domain A - Windows 2003 R2 DC, Windows 2003 R2 w/ Exchange 2003 Sp2, Windows 2003 R2 (Running terminal services), behind Cisco ASA5510
Domain B - Windows 2003 R2, behind Cisco PIX501

WAN Layout:
Domain A - ASA5510 - 2mb/2mb - Internet - 1mb/1mb - PIX501 - Domain B
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16389266
>Good news is that we can now Validate trust from both sides.
Good news, indeed!

>Bad news we still can't share files, Associate Accounts from Domain B to Domain A mailboxes.  It just freezes and hangs
Sounds like DNS issues now between the two domains. Where is your primary DNS ? Are *all* systems pointing to this primary dns?

0
 

Author Comment

by:etikigaq
ID: 16389300
Primary DNS are on each others Domain's.  Lookup Forwarders are in each DNS servers.  We do have DNS zones for each Domain in each Domains DNS servers.  We have successful Zones transfers from each server.  I just setup a WINS server on each domains and they are successful replication partners.

One thing to add to the WAN setup.  We have soho91 handling our PPPOE and our routed subnet (ASA Doesnt support it BAH!), but this shouldn't have any impact on a site to site VPN Correct?
0
 

Author Comment

by:etikigaq
ID: 16389646
For sh!ts and giggles we brought up the old Exchange server on the Domain B side and was able to Associate  Accounts from Domain A to Domain B mailboxes. (BAH!)

Correct me if I am wrong, doesn't the ASA5510 handle RPC traffic differently that PIX501?  The above tests tells me that traffic coming from Domain A isn't getting blocked. I just don't know...
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16390959
how is your 'net view \\servername' from each direction?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16391219
>Is the 501 sitting behind a DSL connection? "YES, both sides are"
Since both sides are behind DSL connections, with PPPoE, you can still have a MTU issue.
Have you tried setting the servers to lower MaxMTU?
0
 

Author Comment

by:etikigaq
ID: 16393120
>how is your 'net view \\servername' from each direction? Yes, this comes up smelling like roses...

>Have you tried setting the servers to lower MaxMTU? I have set the MAXMTU to as low as 1200.  Should I go lower?

Some more troubleshooting has shown, that I can copy files from Domain A to Domain B if it is requested by Domain B.  
For Example:
On Domain B DC, if I open a share \\dc01.DomainA.Local\IT, it opens, I am able to copy files from that share to Domain B's DC.  If I try to put a file in the same window (\\dc01.domainA.local) it hangs with an error title Error Coping File or Folder " Cannot copy radmin22: The specified network name is no longer available"

On Domain A DC, if I open a share \\dc02.DomainB.local\IT, it opens, but once I select a file in the share it freezes and I have to do End Task on the Window.

I have used IP's to connect the shares, the samething happens. Lol, I am so confused.
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16393286
do you have this for DSL:

internet -> dslmodem -> PIX
or
internet -> PIX with dsl modem card

if the first one is the DSL modem acting as a bridge, is it handing a real IP ot a 192.168.x.x type IP address to the PIX
if second post PIX confuigs
0
 

Author Comment

by:etikigaq
ID: 16393319
Domain A = Internet > dslmodem > soho91 > ASA5510
Domain B = Internet > dslmodem > PIX501
0
 

Author Comment

by:etikigaq
ID: 16415034
Bah How do I spilt the points!!!  Please split the points between carl_legere and lrmoore...
0
 

Author Comment

by:etikigaq
ID: 16415068
I would like to thank both of you for your input, because it helped solve the issue.  It was a MTU issue.  Not with either ASA or the PIX501, but with the SOHO91.  The SOHO91 was supplied and controlled with the Managed BXBDSL circuit.  They said it was set to 1500, but surprise surprise it wasn't, we changed it to 1500 and WOW everything works now.  Thank you again for your help.  I will post some Captures that really pointed to the culprit.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question