06-20-2007 12:56 PM - edited 03-11-2019 03:33 AM
First, let me give you a little background on what is happening.
We are deploying a front-end Outlook Web Access exchange server. The domain controller, exchange server and OWA server are all running Server 2003. The OWA server is on a DMZ network on an ASA5505 running v7.2(2) software. The other servers are on the inside network. Here are the IP ranges
inside: 192.168.0.0 255.255.252.0
DMZ: 172.20.1.0 255.255.255.0
The OWA server is at 172.20.1.50. The Windows domain controller and the back-end Exchange server are at 192.168.0.30 and 192.168.0.12 respectively. The exchange server is also a backup domain controller.
I have added static NAT entries to allow the OWA server to refer to the Domain Controller and the Exchange server as addresses on the DMZ network.
static (inside,DMZ) 172.20.1.12 192.168.0.12 netmask 255.255.255.255 dns
static (inside,DMZ) 172.20.1.30 192.168.0.30 netmask 255.255.255.255 dns
I added the dns keyword on the end of these static NAT commands to perform DNS doctoring on any DNS requests. I have also configured the OWA box to use 172.20.1.30 as it's DNS server.
This is all well and good, except that when we try and authenticate on the OWA server to check email, we see the following messages on the ASA:
%ASA-3-305005: No translation group found for icmp src DMZ:172.20.1.50 dst inside:192.168.0.30 (type 8, code 0)
%ASA-3-305005: No translation group found for icmp src DMZ:172.20.1.50 dst inside:192.168.0.30 (type 8, code 0)
%ASA-3-305005: No translation group found for udp src DMZ:172.20.1.50/137 dst inside:192.168.0.12/137
%ASA-3-305005: No translation group found for tcp src DMZ:172.20.1.50/34380 dst inside:192.168.0.12/445
So it seems to me that the OWA server is trying to access the domain controller and the exchange server via their inside addresses. Why would it be doing this when all of the information it has specifies DMZ network addresses and DNS doctoring is enabled?
Something else that is strange is that when I execute "nslookup dc.domain.com" I receive a reply back that the address is 172.20.1.30. So it seems that DNS doctoring is working. However, when I execute "ping dc.domain.com" it replies that it is trying to ping 192.168.0.30. I have even tried doing "ipconfig /flushdns" and I still get the same behavior.
Are there some DNS messages that DNS doctoring doesn't modify that could be causing this? Or is it possible there is another setting somewhere on the OWA server that is causing this? The only way I have been able to get it to work is to add entries in the hosts file on the OWA server to point explicitly at these IPs.
I have to admit that Microsoft systems administration is not my forte, so maybe I am going about this completely the wrong way. Any help anyone can offer would be greatly appreciated.
Thanks,
Sean
Solved! Go to Solution.
06-20-2007 01:42 PM
Sean, why the need for the inside servers to appear to have dmz addresses? Is this a requirement for some specific reason?
You could get rid of the destination nat and dns keyword and just do...
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.252.0
06-20-2007 01:42 PM
Sean, why the need for the inside servers to appear to have dmz addresses? Is this a requirement for some specific reason?
You could get rid of the destination nat and dns keyword and just do...
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.252.0
06-20-2007 02:03 PM
I guess there isn't a specific reason. I suppose I just wanted the DMZ to be a separate subnet from the inside network.
I guess since we are opening all of the necessary ports through to the inside anyway it doesn't offer any additional security.
Will I have to renumber the IP address of the DMZ vlan interface on the ASA if I do what you suggest? Currently the DMZ vlan interface is at 172.20.1.1. Sorry if this is a silly question. I'm somewhat new to this DMZ/NAT/Firewall thing.
Thanks for your help.
06-20-2007 02:12 PM
"I guess there isn't a specific reason. I suppose I just wanted the DMZ to be a separate subnet from the inside network."
-It will still be.
"I guess since we are opening all of the necessary ports through to the inside anyway it doesn't offer any additional security."
-Not that I can think of. Plus one less thing to worry about...dns doctoring.
"Will I have to renumber the IP address of the DMZ vlan interface on the ASA if I do what you suggest?"
-No. The static I wrote above allows the inside and dmz to communicate.
06-21-2007 07:37 AM
Ok, I tried what you suggested and it worked great! Thanks so much for your help.
I suppose I should have tried that to begin with, but I have to say that NATing a network to itself is somewhat confusing to me. Thanks again.
06-21-2007 07:39 AM
Well, it's not so much natting a network to itself as it is not natting at all. There just needs to be a translation there. Glad it worked out.
06-21-2007 09:54 AM
Oh, I understand what you mean now. Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: