While using VPN. The destination server for this recipient could not be found in Domain Name Service (DNS). Please verify the email address and retry. If that fails, contact your administrator.

I had recently setup a Cisco ASA 5510 for a remote location that has it's own Exchange server.

Through the ASA I setup VPN connectivity. The users use Cisco VPN client to connect to the network.

When the user works from home and tries to send email they get these as kick backs.

The destination server for this recipient could not be found in Domain Name Service (DNS).  Please verify the email address and retry.  If that fails, contact your administrator. <exchangeserver.domain.local #5.4.0>

While inside the office the email works fine.

The users had used a Windows VPN session in the past and that worked fine. So it's after we setup VPN through the ASA did this problem start happening.
Drakin030Asked:
Who is Participating?
 
Drakin030Connect With a Mentor Author Commented:
Turns out the issue was that these users had there email setup via pop/smtp and not Exchange.
0
 
Roachy1979Commented:
Within the DHCP scope on the ASA for VPN connections you need to specify your AD DNS server....

That way, when clients log on they will use the internal DNS (and it's respective forwarders).

0
 
Drakin030Author Commented:
In the DNS options, the DNS server is set to the correct internal DNS server.

After connection to the VPN I ran an ipconfig /all and it displayed that DNS server.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Roachy1979Commented:
ok.....

from the client can you open a command prompt and try

nslookup
set type=mx
gmail.com

The client should be able to see the mx records for gmail.  This should just test that the DNS traffic is functioning on the client machine....
0
 
Drakin030Author Commented:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>nslookup
*** Can't find server name for address 192.168.10.5: Non-existent domain
*** Can't find server name for address 192.168.1.50: Non-existent domain
*** Can't find server name for address 192.168.1.19: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.10.5

> set type=mx
> gmail.com
Server:  UnKnown
Address:  192.168.10.5

Non-authoritative answer:
gmail.com       MX preference = 5, mail exchanger = gmail-smtp-in.l.google.com
gmail.com       MX preference = 10, mail exchanger = alt1.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 10, mail exchanger = alt2.gmail-smtp-in.l.google
.com
gmail.com       MX preference = 50, mail exchanger = gsmtp147.google.com
gmail.com       MX preference = 50, mail exchanger = gsmtp183.google.com

gmail.com       nameserver = ns2.google.com
gmail.com       nameserver = ns4.google.com
gmail.com       nameserver = ns3.google.com
gmail.com       nameserver = ns1.google.com
gmail-smtp-in.l.google.com      internet address = 72.14.205.114
gmail-smtp-in.l.google.com      internet address = 72.14.205.27
gsmtp147.google.com     internet address = 209.185.147.27
gsmtp183.google.com     internet address = 64.233.183.27
ns1.google.com  internet address = 216.239.32.10
ns2.google.com  internet address = 216.239.34.10
ns3.google.com  internet address = 216.239.36.10
ns4.google.com  internet address = 216.239.38.10
>

**10.5 = DNS/Exchange server**
0
 
Roachy1979Commented:
Possibly a bit of a ballache, but by any chance do any of your users use RPC/HTTPS - might be worth setting up to see if the fault can be replicated outside the VPN tunnel?

Just a though....
0
 
Drakin030Author Commented:
RPC/HTTP is not used. I guess I could set it up, but if a user connects to the VPN would it not default back to the VPN tunnel over the internet? (If that makes sense)

I'd still like to try and figure out why I'm getting these responses...>Could the traffic be blocked maybe?
0
 
Roachy1979Commented:
I think traffic is probably being blocked by the VPN, but not sure why this would happen.  

Thats why the RPC/HTTPS suggestion....just to see if the fault still occurs, in which case the VPN can be ruled out...

It depends on your VPN client config - you can either tunnel all traffic from a machine down a VPN or be a little more selective and only tunnel traffic for a particular network.  Because you generally use a hostname in Outlook for RPC/HTTPS, it should reconcile this as traffic for "outside" the tunnel...

0
 
Drakin030Author Commented:
Doesn't that require a certificate on the mail server?

I'd still rather not go that route as a final answer, just because I'd rather then not use RPC/HTTP.

It's just a handful of users and VPN should work fine.

If it's traffic being blockes, then what ports should I have open?
0
 
Roachy1979Commented:
Yes....RPC over HTTP uses a certificate, and while I wouldn't recommend it for long term use, you can use a self signed SSL cert to test with.  This is the same cert that would be used if users use OWA....

I agree though that a VPN is possibly the best way forward....

The ports used by Outlook/Exchange are listed here, although ensure you only open these ports over the VPN, rather than publicly......

http://outlookexchange.blogspot.com/2006/07/ports-used-by-exchange.html



0
 
Drakin030Author Commented:
I didn't know that you could actualy open ports for JUST VPN users.

Not 100% sure on how to do that but I'm going to do some research. I'll also give your RPC/HTTP a stab if this ends up taking to long.
0
 
Roachy1979Commented:
Some VPN's are capable of restricting the type of traffic permitted to enter a network based on port.....I know this is possible in Linux, but I'm not too familiar with the ASA and whether this is possible......

For example it is possible to permit inbound DNS and SMTP traffic through the VPN but deny FTP etc.....

0
 
Drakin030Author Commented:
Still nothing, anyone got any ideas? I tried forwarding all traffic for the VPN network through the firewall. Still no luck.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.