如何连接到防火墙后面的Active Directory服务器

我无法使LDAP查询到达在Cisco PIX 506E防火墙后面的Windows Server 2012 R2上运行的Active Directory。 我的目标是为云中托pipe的一些应用程序（Digital Ocean）创build一个SSO环境。 我完全控制了服务器的整个networkingpath，并且已经在PIX上打开了端口389（LDAP）和636（LDAPS），并添加了一条静态语句将LDAPstream量转发到AD服务器。 正如我将在下面显示的，每当我尝试build立连接时，我都会在防火墙访问列表中遇到一些问题，但是我不成功。

以下是我迄今为止所做的：

1.在防火墙上打开LDAP和LDAPS端口

fw1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024) alert-interval 300 access-list inbound; 4 elements access-list inbound line 1 permit icmp any any (hitcnt=383) access-list inbound line 2 permit udp any interface outside eq 1194 (hitcnt=3) access-list inbound line 3 permit tcp any any eq ldap (hitcnt=6) access-list inbound line 4 permit tcp any any eq ldaps (hitcnt=1) 

2.端口转发LDAPstream量

• 将LDAP请求限制到AD
• 在PowerShell中查询已禁用的AD用户
• 现在在EMC和ADSIEDIT中删除了GAL错误
• 针对不同用户的不同帐户locking策略
• 如何访问错误的networking地址的机器？

 fw1(config)# show static static (inside,outside) udp interface 1194 172.23.6.148 1194 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ldap 172.23.6.127 ldap netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ldaps 172.23.6.127 ldaps netmask 255.255.255.255 0 0 

3.closuresAD服务器上的防火墙

4.使用Microsoft的PortQuery工具来testingLDAP端口是否真正打开

5.使用netstat来validationAD服务器实际上正在侦听端口389

在这一点上，我觉得我没有在防火墙上做正确的事情。 虽然我有一个类似的OpenVPN服务器的设置，并且工作正常（即ACL和Static语句通过防火墙将stream量传送到OpenVPN服务器成功）。

我愿意提供任何额外的信息来帮助我解决这个问题，谢谢。

PS。 以下是我的PIX防火墙的configuration。

 fw1(config)# sho conf : Saved : Written by enable_15 at 22:16:51.652 EST Sat Oct 25 2014 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ***** encrypted passwd ***** encrypted hostname fw1 domain-name ctc.local clock timezone EST -5 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inbound permit icmp any any access-list inbound permit udp any interface outside eq 1194 access-list inbound permit tcp any interface outside eq 1194 access-list inbound permit tcp any any eq ldap access-list inbound permit udp any any eq 389 pager lines 24 logging monitor notifications logging buffered debugging icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside MY_PUBLIC_IP 255.255.255.248 ip address inside 172.23.6.120 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 172.23.6.0 255.255.255.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 172.23.6.0 255.255.255.0 0 0 static (inside,outside) udp interface 1194 172.23.6.148 1194 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface ldap 172.23.6.127 ldap netmask 255.255.255.255 0 0 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 ISP_ROUTER_IP 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside http 172.23.6.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable telnet timeout 5 ssh 172.23.6.0 255.255.255.0 inside ssh 172.23.7.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:****