I have a DMZ guest network setup on our ASA 5505. In my DMZ ACL's, I have denied access to the local production network 192.168.1.0/24 located on the inside interface and permitted access to any other network. I set it up this way so employee devices on the DMZ guest network can access internal resources, via their external names. These include mail.company.com, eportal.company.com, and mail.company.com/OWA. My ACL's are properly allowing access to these sites and blocking access to anything on the internal production network 192.168.1.0/24 as planned.
My only problem is that when connected to the DMZ network, even though I can browse to these websites on a client (PC or Android), Android clients can't sync with Exchange located at mail.company.com. If they disconnect from the DMZ and connect to Verizon's network, they sync just fine.
I can see the hit count increasing on my DMZ ACL (permit ip any any) but, the Android clients still won't sync mail. The other DMZ ACL (deny ip any 192.168.1.0/24) hit count is not increasing so I know I am hitting the correct external address of mail.company.com.
I don't see anything in the Exchange logs so I feel like I am missing something on the ASA.
Any ideas why the Android clients can't sync their mail?
Thanks in advance.