cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
972
Views
0
Helpful
8
Replies

eMail Server in DMZ can't get DNS service from AD/DNS server in Inside

ccie16351
Level 1
Level 1

Hi,

I am having trouble to have the Exchange server get Internet access on moving it from the Inside zone to the newly created DMZ. The design is asking to keep the AD which had the DNS server as well, in the Inside network.

I have made static (Inside,DMZ) to have the DNS server appears with its physical IP address to the DMZ (no natting) and for purpose of testing, I did allowed all IP traffic from DMZ to Inside.

Furthermore, I have added DNS for DNS doctoring to the static statement, but problem persists. Plz note the clients in the inside network access internet and the email server.

Appreciate you expertise.

Thanks

Sam

1 Accepted Solution

Accepted Solutions

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

View solution in original post

8 Replies 8

andrew.prince
Level 10
Level 10

You need to ensure the DMZ server has a NAT or PAT to the outside to access the internet.

HTH>

Thanks Andrew,

actually it has nat (dmz) and it uses the same global which serves the inside network. I verified Internet access by changing it to DNS of the ISP, it works fine, but the local admin has his own reasons to use the local DNS.

Any other idea ?

OK - for every no we are closer to a yes.

Can you post the full NAT & Access-lists you have configured, remove any sensitive information.

Thanks Andrew,

I have attached the critical portion of the config. file.

Thanks

OK I see the config - remind me again what exactly the problem is, as looking at the config I can see multiple potential issues.

Hi Andrew,

the issue is, on moving the eMail server to DMZ it loose access to the web, while the internal user keep accessing the web. Pls note, the AD/DNS is in the inside network.

Thanks

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

Thanks Andrew, your observation sounds logic. Instead of permit IP any any at DMZ, I will permit the Server's host address to any.

I will try it and post the rating if solved the problem. Until then, please accept my regards. Sam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: