10-19-2009 02:35 AM - edited 03-11-2019 09:27 AM
Hi,
I am having trouble to have the Exchange server get Internet access on moving it from the Inside zone to the newly created DMZ. The design is asking to keep the AD which had the DNS server as well, in the Inside network.
I have made static (Inside,DMZ) to have the DNS server appears with its physical IP address to the DMZ (no natting) and for purpose of testing, I did allowed all IP traffic from DMZ to Inside.
Furthermore, I have added DNS for DNS doctoring to the static statement, but problem persists. Plz note the clients in the inside network access internet and the email server.
Appreciate you expertise.
Thanks
Sam
Solved! Go to Solution.
10-20-2009 12:53 AM
OK to fix the internet access for the email server you need should add the below:-
access-list acl-dmz extended permit ip any any
This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add
access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0
So the complete acl should look like:-
access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0
access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)
access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0
access-list acl-dmz extended permit ip any any
HTH>
10-19-2009 03:31 AM
You need to ensure the DMZ server has a NAT or PAT to the outside to access the internet.
HTH>
10-19-2009 04:33 AM
Thanks Andrew,
actually it has nat (dmz) and it uses the same global which serves the inside network. I verified Internet access by changing it to DNS of the ISP, it works fine, but the local admin has his own reasons to use the local DNS.
Any other idea ?
10-19-2009 04:43 AM
OK - for every no we are closer to a yes.
Can you post the full NAT & Access-lists you have configured, remove any sensitive information.
10-19-2009 08:37 AM
10-20-2009 12:41 AM
OK I see the config - remind me again what exactly the problem is, as looking at the config I can see multiple potential issues.
10-20-2009 12:46 AM
Hi Andrew,
the issue is, on moving the eMail server to DMZ it loose access to the web, while the internal user keep accessing the web. Pls note, the AD/DNS is in the inside network.
Thanks
10-20-2009 12:53 AM
OK to fix the internet access for the email server you need should add the below:-
access-list acl-dmz extended permit ip any any
This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add
access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0
So the complete acl should look like:-
access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0
access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)
access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0
access-list acl-dmz extended permit ip any any
HTH>
10-20-2009 01:14 AM
Thanks Andrew, your observation sounds logic. Instead of permit IP any any at DMZ, I will permit the Server's host address to any.
I will try it and post the rating if solved the problem. Until then, please accept my regards. Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide