cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3146
Views
0
Helpful
6
Replies

Outlook Web Access (OWA) server on a DMZ?

Amplify6326
Level 1
Level 1

First, let me give you a little background on what is happening.

We are deploying a front-end Outlook Web Access exchange server. The domain controller, exchange server and OWA server are all running Server 2003. The OWA server is on a DMZ network on an ASA5505 running v7.2(2) software. The other servers are on the inside network. Here are the IP ranges

inside: 192.168.0.0 255.255.252.0

DMZ: 172.20.1.0 255.255.255.0

The OWA server is at 172.20.1.50. The Windows domain controller and the back-end Exchange server are at 192.168.0.30 and 192.168.0.12 respectively. The exchange server is also a backup domain controller.

I have added static NAT entries to allow the OWA server to refer to the Domain Controller and the Exchange server as addresses on the DMZ network.

static (inside,DMZ) 172.20.1.12 192.168.0.12 netmask 255.255.255.255 dns

static (inside,DMZ) 172.20.1.30 192.168.0.30 netmask 255.255.255.255 dns

I added the dns keyword on the end of these static NAT commands to perform DNS doctoring on any DNS requests. I have also configured the OWA box to use 172.20.1.30 as it's DNS server.

This is all well and good, except that when we try and authenticate on the OWA server to check email, we see the following messages on the ASA:

%ASA-3-305005: No translation group found for icmp src DMZ:172.20.1.50 dst inside:192.168.0.30 (type 8, code 0)

%ASA-3-305005: No translation group found for icmp src DMZ:172.20.1.50 dst inside:192.168.0.30 (type 8, code 0)

%ASA-3-305005: No translation group found for udp src DMZ:172.20.1.50/137 dst inside:192.168.0.12/137

%ASA-3-305005: No translation group found for tcp src DMZ:172.20.1.50/34380 dst inside:192.168.0.12/445

So it seems to me that the OWA server is trying to access the domain controller and the exchange server via their inside addresses. Why would it be doing this when all of the information it has specifies DMZ network addresses and DNS doctoring is enabled?

Something else that is strange is that when I execute "nslookup dc.domain.com" I receive a reply back that the address is 172.20.1.30. So it seems that DNS doctoring is working. However, when I execute "ping dc.domain.com" it replies that it is trying to ping 192.168.0.30. I have even tried doing "ipconfig /flushdns" and I still get the same behavior.

Are there some DNS messages that DNS doctoring doesn't modify that could be causing this? Or is it possible there is another setting somewhere on the OWA server that is causing this? The only way I have been able to get it to work is to add entries in the hosts file on the OWA server to point explicitly at these IPs.

I have to admit that Microsoft systems administration is not my forte, so maybe I am going about this completely the wrong way. Any help anyone can offer would be greatly appreciated.

Thanks,

Sean

1 Accepted Solution

Accepted Solutions

acomiskey
Level 10
Level 10

Sean, why the need for the inside servers to appear to have dmz addresses? Is this a requirement for some specific reason?

You could get rid of the destination nat and dns keyword and just do...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.252.0

View solution in original post

6 Replies 6

acomiskey
Level 10
Level 10

Sean, why the need for the inside servers to appear to have dmz addresses? Is this a requirement for some specific reason?

You could get rid of the destination nat and dns keyword and just do...

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.252.0

I guess there isn't a specific reason. I suppose I just wanted the DMZ to be a separate subnet from the inside network.

I guess since we are opening all of the necessary ports through to the inside anyway it doesn't offer any additional security.

Will I have to renumber the IP address of the DMZ vlan interface on the ASA if I do what you suggest? Currently the DMZ vlan interface is at 172.20.1.1. Sorry if this is a silly question. I'm somewhat new to this DMZ/NAT/Firewall thing.

Thanks for your help.

"I guess there isn't a specific reason. I suppose I just wanted the DMZ to be a separate subnet from the inside network."

-It will still be.

"I guess since we are opening all of the necessary ports through to the inside anyway it doesn't offer any additional security."

-Not that I can think of. Plus one less thing to worry about...dns doctoring.

"Will I have to renumber the IP address of the DMZ vlan interface on the ASA if I do what you suggest?"

-No. The static I wrote above allows the inside and dmz to communicate.

Ok, I tried what you suggested and it worked great! Thanks so much for your help.

I suppose I should have tried that to begin with, but I have to say that NATing a network to itself is somewhat confusing to me. Thanks again.

Well, it's not so much natting a network to itself as it is not natting at all. There just needs to be a translation there. Glad it worked out.

Oh, I understand what you mean now. Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: