eMail Server in DMZ can't get DNS service from AD/DNS server in Inside

Answered Question
Oct 19th, 2009

Hi,

I am having trouble to have the Exchange server get Internet access on moving it from the Inside zone to the newly created DMZ. The design is asking to keep the AD which had the DNS server as well, in the Inside network.

I have made static (Inside,DMZ) to have the DNS server appears with its physical IP address to the DMZ (no natting) and for purpose of testing, I did allowed all IP traffic from DMZ to Inside.

Furthermore, I have added DNS for DNS doctoring to the static statement, but problem persists. Plz note the clients in the inside network access internet and the email server.

Appreciate you expertise.

Thanks

Sam

I have this problem too.
0 votes

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ccie16351 Mon, 10/19/2009 - 04:33

Thanks Andrew,

actually it has nat (dmz) and it uses the same global which serves the inside network. I verified Internet access by changing it to DNS of the ISP, it works fine, but the local admin has his own reasons to use the local DNS.

Any other idea ?

ccie16351 Tue, 10/20/2009 - 00:46

Hi Andrew,

the issue is, on moving the eMail server to DMZ it loose access to the web, while the internal user keep accessing the web. Pls note, the AD/DNS is in the inside network.

Thanks

Correct Answer

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

ccie16351 Tue, 10/20/2009 - 01:14

Thanks Andrew, your observation sounds logic. Instead of permit IP any any at DMZ, I will permit the Server's host address to any.

I will try it and post the rating if solved the problem. Until then, please accept my regards. Sam

Actions

This Discussion