topic Re: eMail Server in DMZ can't get DNS service from AD/DNS server in Network Security

eMail Server in DMZ can't get DNS service from AD/DNS server in Inside

ccie16351 — Mon, 11 Mar 2019 16:27:29 GMT

Hi,

I am having trouble to have the Exchange server get Internet access on moving it from the Inside zone to the newly created DMZ. The design is asking to keep the AD which had the DNS server as well, in the Inside network.

I have made static (Inside,DMZ) to have the DNS server appears with its physical IP address to the DMZ (no natting) and for purpose of testing, I did allowed all IP traffic from DMZ to Inside.

Furthermore, I have added DNS for DNS doctoring to the static statement, but problem persists. Plz note the clients in the inside network access internet and the email server.

Appreciate you expertise.

Thanks

Sam

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

andrew.prince — Mon, 19 Oct 2009 10:31:24 GMT

You need to ensure the DMZ server has a NAT or PAT to the outside to access the internet.

HTH>

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

ccie16351 — Mon, 19 Oct 2009 11:33:07 GMT

Thanks Andrew,

actually it has nat (dmz) and it uses the same global which serves the inside network. I verified Internet access by changing it to DNS of the ISP, it works fine, but the local admin has his own reasons to use the local DNS.

Any other idea ?

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

andrew.prince — Mon, 19 Oct 2009 11:43:11 GMT

OK - for every no we are closer to a yes.

Can you post the full NAT & Access-lists you have configured, remove any sensitive information.

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

ccie16351 — Mon, 19 Oct 2009 15:37:47 GMT

Thanks Andrew,

I have attached the critical portion of the config. file.

Thanks

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

andrew.prince — Tue, 20 Oct 2009 07:41:00 GMT

OK I see the config - remind me again what exactly the problem is, as looking at the config I can see multiple potential issues.

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

ccie16351 — Tue, 20 Oct 2009 07:46:16 GMT

Hi Andrew,

the issue is, on moving the eMail server to DMZ it loose access to the web, while the internal user keep accessing the web. Pls note, the AD/DNS is in the inside network.

Thanks

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

andrew.prince — Tue, 20 Oct 2009 07:53:25 GMT

OK to fix the internet access for the email server you need should add the below:-

access-list acl-dmz extended permit ip any any

This will allow the email server to access the internet, however this will also allow all access to the inside, so you also need to add

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

So the complete acl should look like:-

access-list acl-dmz extended permit icmp any 172.20.100.0 255.255.255.0

access-list acl-dmz extended permit ip any host 172.120.100.(AD/DNS)

access-list acl-dmz extended deny ip any host 172.120.100.0 255.255.255.0

access-list acl-dmz extended permit ip any any

HTH>

Re: eMail Server in DMZ can't get DNS service from AD/DNS server

ccie16351 — Tue, 20 Oct 2009 08:14:57 GMT

Thanks Andrew, your observation sounds logic. Instead of permit IP any any at DMZ, I will permit the Server's host address to any.

I will try it and post the rating if solved the problem. Until then, please accept my regards. Sam