This will allow your whole Inside segment to be able to access DMZ. If needed for access-control for specifici access, apply access-list on inside interface to strictly allow inside hosts to access your DMZ's email server via the allowed port, example TCP 25 (smtp), http & https (tcp 80 & 443) for webmail.
access-list inside permit tcp any host 192.168.11.4 eq smtp --> permit smtp access. Assuming 192.168.11.4 is your email server in DMZ
access-list inside permit tcp any host 192.168.11.4 eq www --> allow webmail (via port 80) to pass through
access-list inside permit tcp any host 192.168.11.4 eq https --> allow secure http (https) to pass throuh
access-list inside deny ip any 192.168.11.0 255.255.255.0 --> deny other inside hosts from connecting to other DMZ's hosts, except for the 3 services above
access-list inside permit ip any any --> allow inside hosts to connect to other segment, i.e internet/outside segment
access-group inside in interface inside --> bind acl to inside interface
You should also modify the following acl on DMZ to rectify the first 4 deny logs
existing : access-list dmz permit udp any eq domain any eq domain
change to: access-list dmz permit udp any any eq domain --> to allow DMZ's 192.168.11.4 to talk to DNS server on inside segment.
The source port on DMZ server can be anything,as long as the destination port is correctly pointing to UDP 53.
The problem that you have is very simple. It's a port service problem, Microsoft outlook uses a RPC service ports (1025 - 65535) and the OWA (Outlook Web Access) uses http and https ports. The solution is open the follow ports:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :