Having trouble creating a TRUST relationship between DNS servers in DMZ

Are you allowing dns communications? if not try
access-l acl_xxx permit udp host source host dest eq domain
access-l acl_xxx permit tcp host source host dest eq domain

HI,

COuld you show us the whole config?

I'm not sure if DNS is being allowed, actually.  The DNS server inside the network is on IP 192.168.1.134, with the server in the DMZ having IP 192.168.5.2.  Cisco helped me initially with getting the DMZ working.  I don't know if they're willing to help with AD Trust issues however.  

Thanks for your help

Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

to the fullest extent of the law.

Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

to the fullest extent of the law.





User Access Verification



Password: 

Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

to the fullest extent of the law.

Type help or '?' for a list of available commands.


 LACOASA> en

Password: ******


 LACOASA# sho    config

: Saved

: Written by enable_15 at 12:28:31.772 CST Mon Dec 28 2009

!

ASA Version 7.0(5) 

!

hostname LACOASA

domain-name cisco.com

enable password mEnh9QFRwmeyndpu encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 12.161.143.50 255.255.255.240 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.254 255.255.255.0 

!

interface Ethernet0/2

 nameif dmz

 security-level 50

 ip address 192.168.5.254 255.255.255.0 

<--- More --->
               
 !

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd mEnh9QFRwmeyndpu encrypted

banner exec Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

banner exec to the fullest extent of the law.

banner login Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

banner login to the fullest extent of the law.

banner motd Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

banner motd to the fullest extent of the law.

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object-group network InsideServers

<--- More --->
               
  network-object 192.168.1.16 255.255.255.255

 network-object 192.168.1.25 255.255.255.255

access-list inside_access_in extended permit icmp any any 

access-list inside_access_in extended permit ip any any 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ssh 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq www 

access-list outside_access_in extended permit ip host 171.69.89.86 any 

access-list outside_access_in extended permit tcp any host 12.161.143.52 eq smtp 

access-list outside_access_in extended permit udp any host 12.161.143.53 eq isakmp 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq pptp 

access-list outside_access_in extended permit gre any host 12.161.143.53 

access-list outside_access_in extended permit esp any host 12.161.143.53 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ftp-data 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ftp 

access-list outside_access_in extended permit tcp any host 12.161.143.52 eq pptp 

access-list outside_access_in extended permit gre any host 12.161.143.52 

access-list outside_access_in extended permit esp any host 12.161.143.52 

access-list outside_access_in extended permit tcp any host 12.161.143.54 eq 5900 

access-list outside_access_in extended permit icmp any any echo 

access-list outside_access_in extended permit icmp any any echo-reply 

access-list outside_access_in extended permit icmp any any unreachable 

access-list outside_access_in extended permit icmp any any time-exceeded 

access-list outside_access_in extended permit tcp 198.65.167.0 255.255.255.0 host 12.161.143.52 eq smtp 

access-list outside_access_in extended permit tcp 130.94.106.0 255.255.255.0 host 12.161.143.52 eq smtp 

<--- More --->
               
 access-list outside_access_in extended permit tcp 66.185.163.0 255.255.255.0 host 12.161.143.52 eq smtp 

access-list outside_access_in extended permit tcp 66.185.167.0 255.255.255.0 host 12.161.143.52 eq smtp 

access-list outside_access_in extended permit tcp 207.7.111.0 255.255.255.0 host 12.161.143.52 eq smtp 

access-list outside_access_in extended permit tcp 198.172.205.0 255.255.255.0 host 12.161.143.52 eq smtp 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq https 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 2712 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq domain 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 135 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 445 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 1638 

access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ldap 

access-list outside_access_in extended permit tcp any host 12.161.143.55 eq www 

access-list outside_access_in extended permit tcp any host 12.161.143.55 eq https 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 192.168.1.248 255.255.255.248 

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0 

access-list RemoteVPNUsers_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 

access-list outside_access-in extended permit tcp 208.74.56.0 255.255.255.0 host 12.161.143.52 eq smtp 

access-list dmztoinside extended permit tcp host 192.168.5.2 any eq www 

access-list dmztoinside extended permit tcp host 192.168.5.2 any eq https 

access-list dmztoinside extended permit udp host 192.168.5.2 any eq domain 

access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 135 

<--- More --->
               
 access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 445 

access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 1638 

access-list dmztoinside extended permit udp host 192.168.5.2 any eq 389 

access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 2712 

access-list dmz_access_in extended permit icmp any any echo-reply 

access-list dmz_access_in extended permit tcp host 192.168.5.2 any eq www 

access-list dmz_access_in extended permit ip host 192.168.5.2 any 

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool RemoteVPNPool 192.168.1.245-192.168.1.253 mask 255.255.255.0

ip local pool test 10.0.0.1-10.0.0.15

ip local pool VPNPool 192.168.101.1-192.168.101.50

no failover

asdm image disk0:/asdm505.bin

asdm location 10.0.0.0 255.255.255.0 outside

asdm location 192.168.1.248 255.255.255.248 inside

asdm location 192.168.1.240 255.255.255.240 inside

asdm location 192.168.101.0 255.255.255.0 outside

no asdm history enable

<--- More --->
               
 arp timeout 14400

nat-control

global (outside) 10 interface

global (dmz) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 192.168.1.0 255.255.255.0

nat (dmz) 10 192.168.5.0 255.255.255.0

static (inside,outside) tcp 12.161.143.53 ftp-data 192.168.1.18 ftp-data netmask 255.255.255.255 

static (inside,outside) tcp 12.161.143.53 ftp 192.168.1.18 ftp netmask 255.255.255.255 

static (inside,outside) tcp 12.161.143.53 ssh 192.168.1.14 ssh netmask 255.255.255.255 

static (inside,outside) 12.161.143.52 192.168.1.7 netmask 255.255.255.255 

static (inside,outside) 12.161.143.54 192.168.1.244 netmask 255.255.255.255 

static (inside,outside) 12.161.143.51 192.168.1.11 netmask 255.255.255.255 

static (dmz,outside) 12.161.143.55 192.168.5.2 netmask 255.255.255.255 

static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255 

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 12.161.143.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

<--- More --->
               
 timeout uauth 0:05:00 absolute

aaa-server LACOAD protocol radius

aaa-server LACOAD host 192.168.1.18

 key lacovpn

 radius-common-pw lacovpn

group-policy test internal

group-policy RemoteVPNUsers internal

group-policy RemoteVPNUsers attributes

 banner value Welcome to the Laco Industries, Inc. VPN.  Unauthorized access will be prosecuted

 banner value to the fullest extent of the law.

 wins-server value 192.168.1.134 192.168.1.18

 dns-server value 192.168.1.134 192.168.1.18

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteVPNUsers_splitTunnelAcl

 default-domain value lacoinc1.local

 webvpn

username admin password ejDIv7e5pR..1Af6 encrypted

username tsupport password F9WcSWkdE5sGkfwW encrypted

username cisco password ffIRPGpDSOJh9YLq encrypted

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

<--- More --->
               
 snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 82800

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp nat-traversal  20

isakmp ipsec-over-tcp port 10000 

tunnel-group RemoteVPNUsers type ipsec-ra

tunnel-group RemoteVPNUsers general-attributes

 address-pool VPNPool

 authentication-server-group LACOAD

 default-group-policy RemoteVPNUsers

tunnel-group RemoteVPNUsers ipsec-attributes

 pre-shared-key *

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

<--- More --->
               
  address-pool test

 authentication-server-group none

tunnel-group test ipsec-attributes

 pre-shared-key *

telnet 192.168.1.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.5.0 255.255.255.0 dmz

telnet timeout 5

ssh 201.194.184.2 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

<--- More --->
               
   inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

ntp server 192.168.1.134 source inside

smtp-server 192.168.1.244

Cryptochecksum:11f00230444a9806d296f9040ff70c09


 LACOASA#

Select allOpen in new window

you need this:

access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 192.168.5.2

Well - I'm trying that, and it doesn't seem to like the command:

LACOASA(config)# access-list inside_nat0_outbound extended permit ip host 192.$
                                                                               
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 1922
                                                                               
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config)# access-list inside_nat0_outbound extended permit ip host 192.$
                                                                               
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 192.
                                                                        ^168.5.2
                                                                               
ERROR: % Invalid input detected at '^' marker.                                  
LACOASA(config)#                                                                

access-list inside_nat0_outbound extended permit ip host 192.168.1.134 host 192.168.5.2
clear xlate

To create the AD trust, you nead to allow the source DC to reach the destination DC on 88 (kerberos), 389 (LDAP), 445 (SMB), 135 (RPC) and the netlogon fixed port configured in registry

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DCTcpipPort

See table at end of technet article for necessary ports for different areas of action in the trust communication
http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx

The ping response has to be configured at firewall level.
Check the rule created in firewall or router to all the raffic from dnz to MS network.
Use tracert to find where the blocking is also use portquery tool.
Use netstat -abnov to find out the port its listening.
The ICMP packet should be allowed & you should be able to telnet the dns,ldap,kerberos,RPC port.
 

Ok - let me try these suggestions.  Standby gentlemen.

Thanks

I stumbled across this from Microsoft.  I'm wondering if any of these ports are closed?  Can you guys check out my config and tell me if any need to be opened?

"Windows Server 2003 and Windows 2000 Server
For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.

Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows Server 2003 trusts or later version trusts.Collapse this tableExpand this tableClient Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB


Active Directory
For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.

ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.

If you want to minimize ICMP traffic, you can use the following sample firewall rule:
<any> ICMP -> DC IP addr = allow


Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.

By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base:"

Let me know.  thanks

Well - I just had Cisco verify that the firewall was configured correctly, and they looked at the the ASA and put logs in place to check the communication between the DMZ AD server and the AD server inside the network, and the communication is working fine between them.  It seems it's a problem in how I am referring to the internal domain name or something.  Peryhaps we could focus on that aspect.  I'm not an expert on AD, so I might be doing something wrong.  The server in the DMZ is named "lacops1" and I installed AD on it and made a new domain called "DMZ" on that server (ip 192.168.5.2).  this server needs to establish a TRUST with the internal AD server named "iafwebapps", on domain "lacoinc1".  So - where it's failing is when I go onto the DMZ server "lacops1" into Active Directory Domains and Trusts, and go into the properties of the DMZ domain and into the New Trust Wizard, I'm putting in "LACOINC1" in the NAME field under the Trust Name screen.  The next screen tells me "the name you specified is not a valid Windows domain name".  I did create an lmhosts entry for "lacoinc1" tied to IP 192.168.1.134, thinking maybe it was a name resolution problem, but that didn't help.  

Am I doing something wrong?

Thanks

Use the DNS MMC on each DC and use the Forwarders-tab in the DNS server properties to setup conditional forwarding to make DNS queries for the other domain to be forwarded to the correct server.
Use the DNS-name for the AD-domain like "lacoinc1.local" or similar instead of the NETBIOS name "lacoinc1".

Well - when I try to add the forwarding domain, it tells me I already have a zxone with the same name.  Earlier, I went into the forward zones and added the other domain on each DC, thinking it was going to be required in order to talk with each other.  This is trickier than I thought it would be.

ok - let me try. standby.

Thanks

Bingo!  The fact I had created an entry under DNS in Forwarding Zone was the issue.  Once I removed that, I was able to create the Trust between the servers through the firewall.

Thanks very much for your help.