Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

eMail Server in DMZ can't get DNS service from AD/DNS server in Inside

Hi,

I am having trouble to have the Exchange server get Internet access on moving it from the Inside zone to the newly created DMZ. The design is asking to keep the AD which had the DNS server as well, in the Inside network.

I have made static (Inside,DMZ) to have the DNS server appears with its physical IP address to the DMZ (no natting) and for purpose of testing, I did allowed all IP traffic from DMZ to Inside.

Furthermore, I have added DNS for DNS doctoring to the static statement, but problem persists. Plz note the clients in the inside network access internet and the email server.

Appreciate you expertise.

Thanks

Sam

1 ACCEPTED SOLUTION

Accepted Solutions

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

8 REPLIES

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

You need to ensure the DMZ server has a NAT or PAT to the outside to access the internet.

HTH>

New Member

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

Thanks Andrew,

actually it has nat (dmz) and it uses the same global which serves the inside network. I verified Internet access by changing it to DNS of the ISP, it works fine, but the local admin has his own reasons to use the local DNS.

Any other idea ?

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

OK - for every no we are closer to a yes.

Can you post the full NAT & Access-lists you have configured, remove any sensitive information.

New Member

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

Thanks Andrew,

I have attached the critical portion of the config. file.

Thanks

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

OK I see the config - remind me again what exactly the problem is, as looking at the config I can see multiple potential issues.

New Member

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

Hi Andrew,

the issue is, on moving the eMail server to DMZ it loose access to the web, while the internal user keep accessing the web. Pls note, the AD/DNS is in the inside network.

Thanks

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

New Member

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

Thanks Andrew, your observation sounds logic. Instead of permit IP any any at DMZ, I will permit the Server's host address to any.

I will try it and post the rating if solved the problem. Until then, please accept my regards. Sam

361
Views
0
Helpful
8
Replies