Damian Gardner
asked on
Having trouble creating a TRUST relationship between DNS servers in DMZ
I am trying to establish a new trust between a DNS server in a DMZ and an internal DNS server on a Microsoft network. These are 2003 Servers SP2, and the DMZ resides on a Cisco ASA 5510 firewall. The DNS servers are able to ping each other through the firewall. It is possible a TCP port is being blocked that is required to establish the trust - not sure on that. any help would be appreciated.
Thank you,
Damian
Thank you,
Damian
HI,
COuld you show us the whole config?
COuld you show us the whole config?
ASKER
I'm not sure if DNS is being allowed, actually. The DNS server inside the network is on IP 192.168.1.134, with the server in the DMZ having IP 192.168.5.2. Cisco helped me initially with getting the DMZ working. I don't know if they're willing to help with AD Trust issues however.
Thanks for your help
Thanks for your help
Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
to the fullest extent of the law.
Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
to the fullest extent of the law.
User Access Verification
Password:
Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
to the fullest extent of the law.
Type help or '?' for a list of available commands.
LACOASA> en
Password: ******
LACOASA# sho config
: Saved
: Written by enable_15 at 12:28:31.772 CST Mon Dec 28 2009
!
ASA Version 7.0(5)
!
hostname LACOASA
domain-name cisco.com
enable password mEnh9QFRwmeyndpu encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.161.143.50 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.5.254 255.255.255.0
<--- More --->
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd mEnh9QFRwmeyndpu encrypted
banner exec Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
banner exec to the fullest extent of the law.
banner login Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
banner login to the fullest extent of the law.
banner motd Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
banner motd to the fullest extent of the law.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group network InsideServers
<--- More --->
network-object 192.168.1.16 255.255.255.255
network-object 192.168.1.25 255.255.255.255
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ssh
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq www
access-list outside_access_in extended permit ip host 171.69.89.86 any
access-list outside_access_in extended permit tcp any host 12.161.143.52 eq smtp
access-list outside_access_in extended permit udp any host 12.161.143.53 eq isakmp
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq pptp
access-list outside_access_in extended permit gre any host 12.161.143.53
access-list outside_access_in extended permit esp any host 12.161.143.53
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ftp-data
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ftp
access-list outside_access_in extended permit tcp any host 12.161.143.52 eq pptp
access-list outside_access_in extended permit gre any host 12.161.143.52
access-list outside_access_in extended permit esp any host 12.161.143.52
access-list outside_access_in extended permit tcp any host 12.161.143.54 eq 5900
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp 198.65.167.0 255.255.255.0 host 12.161.143.52 eq smtp
access-list outside_access_in extended permit tcp 130.94.106.0 255.255.255.0 host 12.161.143.52 eq smtp
<--- More --->
access-list outside_access_in extended permit tcp 66.185.163.0 255.255.255.0 host 12.161.143.52 eq smtp
access-list outside_access_in extended permit tcp 66.185.167.0 255.255.255.0 host 12.161.143.52 eq smtp
access-list outside_access_in extended permit tcp 207.7.111.0 255.255.255.0 host 12.161.143.52 eq smtp
access-list outside_access_in extended permit tcp 198.172.205.0 255.255.255.0 host 12.161.143.52 eq smtp
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq https
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 2712
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq domain
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 135
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 445
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq 1638
access-list outside_access_in extended permit tcp any host 12.161.143.53 eq ldap
access-list outside_access_in extended permit tcp any host 12.161.143.55 eq www
access-list outside_access_in extended permit tcp any host 12.161.143.55 eq https
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list RemoteVPNUsers_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_access-in extended permit tcp 208.74.56.0 255.255.255.0 host 12.161.143.52 eq smtp
access-list dmztoinside extended permit tcp host 192.168.5.2 any eq www
access-list dmztoinside extended permit tcp host 192.168.5.2 any eq https
access-list dmztoinside extended permit udp host 192.168.5.2 any eq domain
access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 135
<--- More --->
access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 445
access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 1638
access-list dmztoinside extended permit udp host 192.168.5.2 any eq 389
access-list dmztoinside extended permit tcp host 192.168.5.2 any eq 2712
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended permit tcp host 192.168.5.2 any eq www
access-list dmz_access_in extended permit ip host 192.168.5.2 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool RemoteVPNPool 192.168.1.245-192.168.1.253 mask 255.255.255.0
ip local pool test 10.0.0.1-10.0.0.15
ip local pool VPNPool 192.168.101.1-192.168.101.50
no failover
asdm image disk0:/asdm505.bin
asdm location 10.0.0.0 255.255.255.0 outside
asdm location 192.168.1.248 255.255.255.248 inside
asdm location 192.168.1.240 255.255.255.240 inside
asdm location 192.168.101.0 255.255.255.0 outside
no asdm history enable
<--- More --->
arp timeout 14400
nat-control
global (outside) 10 interface
global (dmz) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.1.0 255.255.255.0
nat (dmz) 10 192.168.5.0 255.255.255.0
static (inside,outside) tcp 12.161.143.53 ftp-data 192.168.1.18 ftp-data netmask 255.255.255.255
static (inside,outside) tcp 12.161.143.53 ftp 192.168.1.18 ftp netmask 255.255.255.255
static (inside,outside) tcp 12.161.143.53 ssh 192.168.1.14 ssh netmask 255.255.255.255
static (inside,outside) 12.161.143.52 192.168.1.7 netmask 255.255.255.255
static (inside,outside) 12.161.143.54 192.168.1.244 netmask 255.255.255.255
static (inside,outside) 12.161.143.51 192.168.1.11 netmask 255.255.255.255
static (dmz,outside) 12.161.143.55 192.168.5.2 netmask 255.255.255.255
static (dmz,inside) 192.168.5.2 192.168.5.2 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 12.161.143.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
<--- More --->
timeout uauth 0:05:00 absolute
aaa-server LACOAD protocol radius
aaa-server LACOAD host 192.168.1.18
key lacovpn
radius-common-pw lacovpn
group-policy test internal
group-policy RemoteVPNUsers internal
group-policy RemoteVPNUsers attributes
banner value Welcome to the Laco Industries, Inc. VPN. Unauthorized access will be prosecuted
banner value to the fullest extent of the law.
wins-server value 192.168.1.134 192.168.1.18
dns-server value 192.168.1.134 192.168.1.18
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPNUsers_splitTunnelAcl
default-domain value lacoinc1.local
webvpn
username admin password ejDIv7e5pR..1Af6 encrypted
username tsupport password F9WcSWkdE5sGkfwW encrypted
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 82800
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group RemoteVPNUsers type ipsec-ra
tunnel-group RemoteVPNUsers general-attributes
address-pool VPNPool
authentication-server-group LACOAD
default-group-policy RemoteVPNUsers
tunnel-group RemoteVPNUsers ipsec-attributes
pre-shared-key *
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
<--- More --->
address-pool test
authentication-server-group none
tunnel-group test ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.5.0 255.255.255.0 dmz
telnet timeout 5
ssh 201.194.184.2 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
<--- More --->
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server 192.168.1.134 source inside
smtp-server 192.168.1.244
Cryptochecksum:11f00230444a9806d296f9040ff70c09
LACOASA#
you need this:
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 192.168.5.2
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 192.168.5.2
ASKER
Well - I'm trying that, and it doesn't seem to like the command:
LACOASA(config)# access-list inside_nat0_outbound extended permit ip host 192.$
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 1922
ERROR: % Invalid input detected at '^' marker.
LACOASA(config)# access-list inside_nat0_outbound extended permit ip host 192.$
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 192.
^168.5.2
ERROR: % Invalid input detected at '^' marker.
LACOASA(config)#
LACOASA(config)# access-list inside_nat0_outbound extended permit ip host 192.$
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 1922
ERROR: % Invalid input detected at '^' marker.
LACOASA(config)# access-list inside_nat0_outbound extended permit ip host 192.$
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 h6st 192.
^168.5.2
ERROR: % Invalid input detected at '^' marker.
LACOASA(config)#
access-list inside_nat0_outbound extended permit ip host 192.168.1.134 host 192.168.5.2
clear xlate
clear xlate
To create the AD trust, you nead to allow the source DC to reach the destination DC on 88 (kerberos), 389 (LDAP), 445 (SMB), 135 (RPC) and the netlogon fixed port configured in registry
HKLM\System\CurrentControl Set\Servic es\Netlogo n\Paramete rs\DCTcpip Port
See table at end of technet article for necessary ports for different areas of action in the trust communication
http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx
HKLM\System\CurrentControl
See table at end of technet article for necessary ports for different areas of action in the trust communication
http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx
The ping response has to be configured at firewall level.
Check the rule created in firewall or router to all the raffic from dnz to MS network.
Use tracert to find where the blocking is also use portquery tool.
Use netstat -abnov to find out the port its listening.
The ICMP packet should be allowed & you should be able to telnet the dns,ldap,kerberos,RPC port.
Check the rule created in firewall or router to all the raffic from dnz to MS network.
Use tracert to find where the blocking is also use portquery tool.
Use netstat -abnov to find out the port its listening.
The ICMP packet should be allowed & you should be able to telnet the dns,ldap,kerberos,RPC port.
ASKER
Ok - let me try these suggestions. Standby gentlemen.
Thanks
Thanks
ASKER
I stumbled across this from Microsoft. I'm wondering if any of these ports are closed? Can you guys check out my config and tell me if any need to be opened?
"Windows Server 2003 and Windows 2000 Server
For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.
Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows Server 2003 trusts or later version trusts.Collapse this tableExpand this tableClient Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB
Active Directory
For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.
ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.
If you want to minimize ICMP traffic, you can use the following sample firewall rule:
<any> ICMP -> DC IP addr = allow
Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.
By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base:"
Let me know. thanks
"Windows Server 2003 and Windows 2000 Server
For a mixed-mode domain that uses either Windows NT domain controllers or legacy clients, trust relationships between Windows Server 2003-based domain controllers and Windows 2000 Server-based domain controllers may necessitate that all the ports for Windows NT that are listed in the previous table be opened in addition to the following ports.
Note The two domain controllers are both in the same forest, or the two domain controllers are both in a separate forest. Also, the trusts in the forest are Windows Server 2003 trusts or later version trusts.Collapse this tableExpand this tableClient Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC
1024-65535/TCP 1024-65535/TCP LSA RPC Services (*)
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB
Active Directory
For Active Directory to function correctly through a firewall, the Internet Control Message Protocol (ICMP) protocol must be allowed through the firewall from the clients to the domain controllers so that the clients can receive Group Policy information.
ICMP is used to determine whether the link is a slow link or a fast link. ICMP is a legitimate protocol that Active Directory uses for Group Policy detection and for Maximum Transfer Unit (MTU) detection. The Windows Redirector also uses ICMP to verify that a server IP is resolved by the DNS service before a connection is made.
If you want to minimize ICMP traffic, you can use the following sample firewall rule:
<any> ICMP -> DC IP addr = allow
Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.
By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base:"
Let me know. thanks
ASKER
Well - I just had Cisco verify that the firewall was configured correctly, and they looked at the the ASA and put logs in place to check the communication between the DMZ AD server and the AD server inside the network, and the communication is working fine between them. It seems it's a problem in how I am referring to the internal domain name or something. Peryhaps we could focus on that aspect. I'm not an expert on AD, so I might be doing something wrong. The server in the DMZ is named "lacops1" and I installed AD on it and made a new domain called "DMZ" on that server (ip 192.168.5.2). this server needs to establish a TRUST with the internal AD server named "iafwebapps", on domain "lacoinc1". So - where it's failing is when I go onto the DMZ server "lacops1" into Active Directory Domains and Trusts, and go into the properties of the DMZ domain and into the New Trust Wizard, I'm putting in "LACOINC1" in the NAME field under the Trust Name screen. The next screen tells me "the name you specified is not a valid Windows domain name". I did create an lmhosts entry for "lacoinc1" tied to IP 192.168.1.134, thinking maybe it was a name resolution problem, but that didn't help.
Am I doing something wrong?
Thanks
Am I doing something wrong?
Thanks
Use the DNS MMC on each DC and use the Forwarders-tab in the DNS server properties to setup conditional forwarding to make DNS queries for the other domain to be forwarded to the correct server.
Use the DNS-name for the AD-domain like "lacoinc1.local" or similar instead of the NETBIOS name "lacoinc1".
Use the DNS-name for the AD-domain like "lacoinc1.local" or similar instead of the NETBIOS name "lacoinc1".
ASKER
Well - when I try to add the forwarding domain, it tells me I already have a zxone with the same name. Earlier, I went into the forward zones and added the other domain on each DC, thinking it was going to be required in order to talk with each other. This is trickier than I thought it would be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok - let me try. standby.
Thanks
Thanks
ASKER
Bingo! The fact I had created an entry under DNS in Forwarding Zone was the issue. Once I removed that, I was able to create the Trust between the servers through the firewall.
Thanks very much for your help.
Thanks very much for your help.
access-l acl_xxx permit udp host source host dest eq domain
access-l acl_xxx permit tcp host source host dest eq domain