Second Domain AD not visible from Firebox

Hi All,

We have an M400 device which is set up fine within our domain through Interface 1. Allmachines are fine and we have AD Authentication set up from the device which works perfectly fine as well.

We are now merging with another company and need to add a second domain to our network. We have linked this to interface 2 and configured it as a Trusted interface (It feeds to another firewall which has a VPN to the other company). In general this works fine. Ports are opened and clients on interface 1 and 2 can communicate and we can join the second domain from our original interface fine and ping the new domains AD server as well.

For some reason the Firebox is unable to access the new domains AD server by IP either through Ping, Tracert or when testing the authentication to this server from the web interface - error "Connect to server: Failed (can't connect to 10.161.13.10[server is down or unreachable])" and Ping fails with 100% failure.

If I have a machine on interface 1 and join the new domain I can join fine and ping the server fine from the client device without issue.

The IP of the AD server is part of the route which goes through interface 2, I have not set up any NAT rules for this ip range as they will not be accessing the web through our watchguard device.

Worth noting that our subnet and the new subnet are part of the same larger class A range (We have 10.161.64.0/18 and they have 10.161.0.0/18)

We have a rule to allow all required ports from int 1 to int 2 for domain authentication, dns, radius and some other ports which seem to work fine for clients. We have also added the firebox itself to this rule (Alias:Firebox)

Does anyone have any ideas on this?

Sorry for the wall of text!

Comments

  • What do the logs in the other firewall show for the pings/tracerts ?

    Access from the FB will probably be from its Interface 2 IP addr. Is this access allowed by the other firewall, from the VPN to the 2nd site, and from the 2nd site?

  • Hi Bruce

    From what I can see the server tests from the firebox dont seem to make it to the other firewall. Again its strange as client devices are able to pass through it fine for access to the other domain

    To clarify

    Client on New Domain > Watchguard > Second Firewall > Second Domain - Works Fine

    Watchguard > Second Firewall > Second Domain - Fails

    I cant seem to be able to ping any devices on this second domains network range (10.161.0.0/18) from the firebox itself although a client on our side can with one of our IPs from our range (10.161.64.0/18 (Also worth noting the firebox is on this range as well)) infact any client on our range (10.161.64.0/18) can ping any client on the other range (10.161.0.0/18) fine apart from the firebox itself which can ping our range fine but not the other one.

    Im assuming this means the routes are ok but ive missed something else! Should there be a NAT rule on the firebox for the new range (10.161.0.0/18 as it currently does not have one.

  • Check or have someone check the VPN settings.
    The VPN needs to include the IP addr of the firewall Interface 2

  • Hi Bruce

    Sorry yes the interface IP for int 2 (10.161.10.49) is allowed through the other firewall and the VPN tunnel. I can confirm this by looking at the logs of the other firewall (Cisco ASA) and testing against a firewall rule I have set up for RADIUS traffic - the rule shows a few hits if I set up a test RADIUS configuration on our watchguard.

    The IP of the primary interface is not set up on the Cisco ASA (10.161.64.30) as I did not think this was required as devices on Int 2 wouldnt care about it.

  • In diagnostic logging, you can select to log traffic from the firewall.
    Then you can see the IP address being used for the ping etc. in Traffic Monitor
  • Got it, Ill have a look at the logs tomorrow thank you for your help so far!

  • Just to say thanks Bruce, built a fresh DIMENSION server and turned the logging on as advised and immediately saw where the issue was with ICMP and also the connection the the other domains DC for authentication!

Sign In to comment.