General discussion

Locked

no internal access to published web site on DMZ

By alan.atkins ·
I have a really annoying problem where internal users on AD DNS zone cannot access web site published on DMZ DNS zone. External users have no issues getting to published site. Here is my setup in a nut shell:
ISA 2006 external IP => x.x.x.116
NIC1 => Internal AN 10.10.1.1
NIC2 => DMZ dns zone located on 10.10.1.4 DC

DNS setup:
ISA 2006 is a caching only forwarder for external name resolution forwarding to ISP
Stub zone created for internal LAN of 10.10.1.0 (forward and reverse)=> only records for DC (NS & SOA 10.10.1.4)
Stub zone created for DMZ of 172.16.0.0 (forward and reverse) => only records for DC (NS and SOA)
ISA 2006 rules for network rules:
DMZ => internal via NAT
Internal => DMZ via NAT
ISA 2006 access rules between zones:
DNS rule to allow internal DNS server to access to ISA external DNS cahing only server
DNS rule to allow internal & DMZ access to DNS resolution
Access rule for DMZ to internal LAN for AD, netbios, DNS
Access rule for internal LAN to DMZ allowing ping and RDP only (may need more access here)
Web server publishing rule to web site on DMZ (host header public name value of public.ourdomain.com => internal host name public.dmx (DNS records exist on AD DC with host records for machine name web-root.dmz and site public.dmz to IP 172.16.0.9 (boxed is checked to ?Forward the host name instead of actual specified name in publishing rule)
Internal DNS is AD hosted and DC has only one NIC for 10.10.1.0 network, but also subnet zone for DMZ of 172.16.0.0.

Run down:
From the internal network nslookup resolves IP 172.16.0.9 to web-root.dmz and vice versa
From the ISA 2006 gateway nslookup resolves IP 172.16.0.9 to web-root.dmz and vice versa as well internal name resolution.
I can RDP to web server from internal DC with access rule using both IP and DNS name.
I cannot RDP to internal machine from web server even though I have RDP traffic included with access rule allowing DNS and AD packets from DMZ to internal network.
Web server is not on domain, but gets it?s DNS info from ISA as the DNS listed on the web server DMZ is point to ISA 2006 DMZ NIC of 172.16.0.1 ( if I do not point it to the ISA 2006 NIC instead of the actual DNS AD server of 10.10.1.4 then the web server cannot access the internet)
Problem:
External access to web sites on the DMZ server is fine. Can be accessed from anywhere outside of the internal network. However internal access to web site does not resolve. I keep getting DNS errors even though the IP and name both resolve using nslookup for either network, both internal or DMZ. I am really at loss for what to hit next. ISA 2006 logs do not show any denial of traffic when trying to access the web site form the internal network. I see the 80 traffic passes, and when looking for denials from the internal to DMZ and vice versa, nothing shows.
I am trying to figure out where the break down is. I know it is in DNS, but I cannot find where since everything resolves through nslookup, but NOT through the web publishing rule. I have also tried routing the internal and DMZ networks though ISA (instead of NAT), but that does not work either. IF anyone can see where I am setting things up wrong, I would greatly appreciate it. I am almost too frustrated to figure anything out anymore.

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Back to Networks Forum
0 total posts (Page 1 of 1)  

Hardware Forums