Cisco ASA

Here’s a few bits for a Cisco ASA to allow Windows Domain Services.

e.g. you need a DMZ server to be a member server of a domain on the internal LAN.

object-group service Windows_KDC
 description Windows KDC
 service-object tcp-udp eq 88
 service-object tcp-udp eq 464
 service-object udp eq 389
object-group service Windows_LSASS
 description Windows LSASS
 service-object tcp eq 3268
 service-object tcp eq 3269
 service-object tcp-udp eq 389
 service-object tcp eq ldaps
 service-object tcp eq 135
 service-object udp eq ntp
object-group service Windows_DNS
 description Windows DNS
 service-object tcp-udp eq domain
object-group service Windows_Browser
 description Windows Browser
 service-object udp eq netbios-ns
 service-object udp eq netbios-dgm
 service-object tcp eq netbios-ssn
object-group service Windows_DCE-RPC
 description Windows DCE-RPC
 service-object tcp eq 1026
 service-object tcp eq 1025
object-group service Windows_Dfs
 description Windows Dfs
 service-object udp eq netbios-dgm
 service-object tcp eq netbios-ssn
 service-object tcp-udp eq 389
 service-object tcp eq 445
 service-object tcp eq 135
object-group service Windows_Domain_Services
 description Windows Domain services
 group-object Windows_Browser
 group-object Windows_LSASS
 group-object Windows_DNS
 group-object Windows_KDC
 group-object Windows_DCE-RPC
 group-object Windows_Dfs