Solved

TMG Server on Hyper-V behind Cisco ASA problem

Posted on 2010-09-02
11
2,047 Views
Last Modified: 2012-05-10
I have installed Threat Management Gateway 2010 as a back end firewall configuration on a virtual server on a Windows Server 2008 Hyper V host, this has 2 virtual network cards on 2 different VLANS (100 and 1001) and plugs into my 3COM core switch, I have a Cisco ASA that also plus into my core switch allowing VLANS 100 and 199), my internet connection also plugs onto the core switch on VLAN 199.

The TMG server is new, before I added this the core switch passed any external requests onto the ASA which routes out to the internet line.

I am now trying to use the TMG server as a web proxy to block internet access to anyone without an allow rule and monitor what those are accessing it are looking at.

The TMG server can access the internal network fine and the default gateway is set to vlan 100 (to the ASA which it can ping).

I can't however access the internet from the TMG server it responds with a 10060 connection timeout and says the gatewat could not receive a timely response....

I would like to keep the ASA in place as a front firewall and just use TMG as a back firewall and proxy server for controlling internet.

Can anyone point me in the direction of where I am going wrong? Diagram attached.

Many thanks,
Steve
0
Comment
Question by:Bicesterlad
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 2

Expert Comment

by:panman3
ID: 33586928
there are several paths:

- check the TMG nic pointing to the ASA; does this one have in it's IP settings the IP from the ASA as a gateway? Else it will look on the VLAN and may not find the correct path to route to external.
- How's your DNS? Can you resolve addresses on the ISA (command prompt - ping www.google.be). If not can you access a site by IP? If not then it's indeed a network/TMG issue and this may also cause DNS not to be able to send out external requests. If you can access by IP then it might be a DNS issue.
- what routing rules do you have in your "networks" section on TMG? before you can use firewall rules to allow certain traffic, you also need a more general routing rule to link otherwise completely separated networks (between your internal network 1001 and "external" 100)
- do you have a firewall rule in place allowing internet traffic from localhost to external? I'm not certain as to whether this is enabled by default or you need to allow localhost to access internet manually.
- how's your switch config? Certain there's no problem with the VLAN 100? Ports configured correctly?

Regards,
Geert
0
 

Author Comment

by:Bicesterlad
ID: 33587815
Hi Geert, thanks for your reply.

I now can't ping my asa (10.1.0.2) which is set as the default gateway on the external nic of the TMG server, I think it may have something to do with my IP address ranges for the perimeter/internal network I presume the ASA is now located in the perimeter network? and the TMG on the internal so have 10.1.0.0 to 10.1.0.255 included in perimeter and 10.0.0.0 to 10.0.255.255 and 10.1.1.0 to 10.255.255.255 included in my internal.

I have rules allowing SMTP, DNS,LDAP, HTTP/S, ping, RDP, RPC, NetBIOS from internal to internal and allowing HTTP/S from internal to perimeter/external - have also added a rule allowing all protocols to try and eliminate that beig the problem.

DNS seems fine and I have not had any issues with this, cant pint the ASA by IP though since setting up the perimeter IP range.

Routes all seem to be set ok gateway for 0.0.0.0 is ASA

Switch config all good with the ports allowing all required VLANS.

Really stumped what is wrong?

thanks,
Steve
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33590332
You didnt attach the diagram.

How is the network configured? The lan the network between the asa and the tmg?

If you disable the web proxy, does if work then?

Can you monitor the session, do you see anything logs and reporting logging tab.
0
 

Author Comment

by:Bicesterlad
ID: 33594373
Opps, didn't realise :-) Diagram attached hope it makes sense.

The current route for 0.0.0.0 on the 3com core switch is the ASA 10.1.0.2 and this is working fine so users currently have internet access, what i'd like to to is get the TMG server working with internet access through the asa then once this is working change the route for 0.0.0.0 on the core switch to the TMG, at the moment I can't block internet access for anyone on the network easily.

The TMG is talking to the internet network fine but going out through 10.1.0.3 to the ASA on 10.1.0.2 no response, I also can't ping 10.1.0.1 on the croe switch. my ports are allowing the correct VLANs and before I put TMG into back firewall mode (from single nic) this network card (10.1.0.3) could ping both 10.1.0.1 and 10.1.0.2 which I why I think its something to do with the perimeter network settings.

I am in a mess or does it all make sense and there is a logical reason?

Many thanks.
TMGPlan.jpg
0
 

Author Comment

by:Bicesterlad
ID: 33594388
P.S Doesn't work if I disable the proxy and in my logging just see 10060 connection failed errors presumably as I can't ping the DG?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Bicesterlad
ID: 33624923
has no one any ideas?

Thanks in advance.....
0
 
LVL 2

Accepted Solution

by:
panman3 earned 500 total points
ID: 33627412
I think there are too many unknown variables here (exact switch config f.e.) so my guess is you'll need a network expert on the scene to do simultanious logging on TMG and ASA + switches and to try different types of requests and see where they end up and where they're blocked.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33639181
Just putting in a checklist for you.

1. Check the ASA default route is set for the ISP GW.
2. Check the ASA can ping the ISP GW.
3. Check the ASA can ping something in the internet you know responds to ICMP. ( remember to check the ICMP rules of the ASA)
4. check the ASA can ping TMG servers IP.
5. Check the TMG server´s IP settings on its external NIC. default GW must point to the ASA.
6. Check the TMG server´s IP setting on its internal NC. No default GW must be configured here. ( check with "route print" that the default GW is correct).
7. Ping the ASAs IP from the TMG server (disable the TMG service so you can eliminate the network path)
8. Ping something in the internet you reponds to ICMP. (remember to permit ICMP in the ASAs Access-list and enable ICMP inspection.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33639193
Forgot to add you need to check the ASAs NAt settings that it permits the TMG server´s external interface.
0
 

Author Comment

by:Bicesterlad
ID: 33644596
Donboo, I think you may be on to a winner here as when I disable the TMG service I can ping the ASA but still cannot access the internet so as per you last message need to add a rule on the ASA Nat settings should this just be an internal allowing TCP from 10.1.0.2 to any?

Hopefully I will then be able to access the internet then can restart the TMG services and it must be a TMG rule blocking me from pinging the ASA/accessing the internet when TMG running??

Thanks
Steve

0
 
LVL 9

Expert Comment

by:Donboo
ID: 33650069
I would just uset any any as you Are in troubleshooting mode.

So in the nat statement on the asa change it to any any.

If you then can access the internet then you enable tmg and try again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now