Skip to main content

Can't hit DMZ Server.....http and pop3/smtp

More
15 years 9 months ago #29281 by timparker
I will research that and take a look. Thanks.
More
15 years 9 months ago #29287 by S0lo
This could be a multi cause problem. So I'd try narrowing it down. First I'd remove this line:

[code:1]static (outside,dmz) Internal_Web_Mail_Server External_Web_Mail_Server netmask 255.255.255.255[/code:1]

You only need one static statement to map an external address. The other static statement (dmz,outside) should be enough. However, this will probably not solve the problem.

Second, to make sure this in not an access list issue, just temporarily try removing those lines:

[code:1]access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz[/code:1]

If it does work after this, then you know it's an access list issue. If it doesn't work. My next doubt is in those statements:

[code:1]nat (inside) 0 access-list NoNAT
access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 Columbus-Net 255.255.255.0
access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 Ext_VPN_Network 255.255.255.0[/code:1]

The NoNAT access list does not seem to allow the destination network of the DMZ (192.168.18.0/24). You can add a 3rd statement (in NoNAT) to allow it.

One question here, does it work when you try to access it using the Internal_Web_Mail_Server IP (192.168.18.3) instead of the External_Web_Mail_Server IP (204.x.y.194) ? If it does, then you might just need a static map to make it work using the External_Web_Mail_Server IP from inside. Something like this:

[code:1]static (dmz,inside) External_Web_Mail_Server Internal_Web_Mail_Server netmask 255.255.255.255[/code:1]

Thats as far as I know.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 9 months ago #29288 by timparker
I will give these a try tonight. I might have just missed it in the NoNAT section, might be simple. I have to look at that first statement, someone else told me I could/should remove that and I think it broke something.....might be related.

Currently we are using the external IP to hit these, I can change it in the DNS to resolve to the 192.168.18.x number and "stay inside"

This might just be simple. I will look at the other suggestions and ideas also! I appreciate the help and guidance.
More
15 years 9 months ago #29289 by timparker
Solo -- you rock! I added the NoNAT ACL and for kicks just added an entry to the HOSTS file on my PC to point to the "DMZ" address for the mail server and it works great.

I can just as easily add entries to our internal DNS when we are ready to move everyone to this box/set up to make it work. Now on to the next problem......
More
15 years 9 months ago #29292 by Smurf
I always find it easy to just manage a split DNS, that way you dont need to hairpin :)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.132 seconds