Solved

TMG Server on Hyper-V behind Cisco ASA problem

Posted on 2010-09-02
11
2,055 Views
Last Modified: 2012-05-10
I have installed Threat Management Gateway 2010 as a back end firewall configuration on a virtual server on a Windows Server 2008 Hyper V host, this has 2 virtual network cards on 2 different VLANS (100 and 1001) and plugs into my 3COM core switch, I have a Cisco ASA that also plus into my core switch allowing VLANS 100 and 199), my internet connection also plugs onto the core switch on VLAN 199.

The TMG server is new, before I added this the core switch passed any external requests onto the ASA which routes out to the internet line.

I am now trying to use the TMG server as a web proxy to block internet access to anyone without an allow rule and monitor what those are accessing it are looking at.

The TMG server can access the internal network fine and the default gateway is set to vlan 100 (to the ASA which it can ping).

I can't however access the internet from the TMG server it responds with a 10060 connection timeout and says the gatewat could not receive a timely response....

I would like to keep the ASA in place as a front firewall and just use TMG as a back firewall and proxy server for controlling internet.

Can anyone point me in the direction of where I am going wrong? Diagram attached.

Many thanks,
Steve
0
Comment
Question by:Bicesterlad
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 2

Expert Comment

by:panman3
ID: 33586928
there are several paths:

- check the TMG nic pointing to the ASA; does this one have in it's IP settings the IP from the ASA as a gateway? Else it will look on the VLAN and may not find the correct path to route to external.
- How's your DNS? Can you resolve addresses on the ISA (command prompt - ping www.google.be). If not can you access a site by IP? If not then it's indeed a network/TMG issue and this may also cause DNS not to be able to send out external requests. If you can access by IP then it might be a DNS issue.
- what routing rules do you have in your "networks" section on TMG? before you can use firewall rules to allow certain traffic, you also need a more general routing rule to link otherwise completely separated networks (between your internal network 1001 and "external" 100)
- do you have a firewall rule in place allowing internet traffic from localhost to external? I'm not certain as to whether this is enabled by default or you need to allow localhost to access internet manually.
- how's your switch config? Certain there's no problem with the VLAN 100? Ports configured correctly?

Regards,
Geert
0
 

Author Comment

by:Bicesterlad
ID: 33587815
Hi Geert, thanks for your reply.

I now can't ping my asa (10.1.0.2) which is set as the default gateway on the external nic of the TMG server, I think it may have something to do with my IP address ranges for the perimeter/internal network I presume the ASA is now located in the perimeter network? and the TMG on the internal so have 10.1.0.0 to 10.1.0.255 included in perimeter and 10.0.0.0 to 10.0.255.255 and 10.1.1.0 to 10.255.255.255 included in my internal.

I have rules allowing SMTP, DNS,LDAP, HTTP/S, ping, RDP, RPC, NetBIOS from internal to internal and allowing HTTP/S from internal to perimeter/external - have also added a rule allowing all protocols to try and eliminate that beig the problem.

DNS seems fine and I have not had any issues with this, cant pint the ASA by IP though since setting up the perimeter IP range.

Routes all seem to be set ok gateway for 0.0.0.0 is ASA

Switch config all good with the ports allowing all required VLANS.

Really stumped what is wrong?

thanks,
Steve
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33590332
You didnt attach the diagram.

How is the network configured? The lan the network between the asa and the tmg?

If you disable the web proxy, does if work then?

Can you monitor the session, do you see anything logs and reporting logging tab.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Bicesterlad
ID: 33594373
Opps, didn't realise :-) Diagram attached hope it makes sense.

The current route for 0.0.0.0 on the 3com core switch is the ASA 10.1.0.2 and this is working fine so users currently have internet access, what i'd like to to is get the TMG server working with internet access through the asa then once this is working change the route for 0.0.0.0 on the core switch to the TMG, at the moment I can't block internet access for anyone on the network easily.

The TMG is talking to the internet network fine but going out through 10.1.0.3 to the ASA on 10.1.0.2 no response, I also can't ping 10.1.0.1 on the croe switch. my ports are allowing the correct VLANs and before I put TMG into back firewall mode (from single nic) this network card (10.1.0.3) could ping both 10.1.0.1 and 10.1.0.2 which I why I think its something to do with the perimeter network settings.

I am in a mess or does it all make sense and there is a logical reason?

Many thanks.
TMGPlan.jpg
0
 

Author Comment

by:Bicesterlad
ID: 33594388
P.S Doesn't work if I disable the proxy and in my logging just see 10060 connection failed errors presumably as I can't ping the DG?
0
 

Author Comment

by:Bicesterlad
ID: 33624923
has no one any ideas?

Thanks in advance.....
0
 
LVL 2

Accepted Solution

by:
panman3 earned 500 total points
ID: 33627412
I think there are too many unknown variables here (exact switch config f.e.) so my guess is you'll need a network expert on the scene to do simultanious logging on TMG and ASA + switches and to try different types of requests and see where they end up and where they're blocked.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33639181
Just putting in a checklist for you.

1. Check the ASA default route is set for the ISP GW.
2. Check the ASA can ping the ISP GW.
3. Check the ASA can ping something in the internet you know responds to ICMP. ( remember to check the ICMP rules of the ASA)
4. check the ASA can ping TMG servers IP.
5. Check the TMG server´s IP settings on its external NIC. default GW must point to the ASA.
6. Check the TMG server´s IP setting on its internal NC. No default GW must be configured here. ( check with "route print" that the default GW is correct).
7. Ping the ASAs IP from the TMG server (disable the TMG service so you can eliminate the network path)
8. Ping something in the internet you reponds to ICMP. (remember to permit ICMP in the ASAs Access-list and enable ICMP inspection.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 33639193
Forgot to add you need to check the ASAs NAt settings that it permits the TMG server´s external interface.
0
 

Author Comment

by:Bicesterlad
ID: 33644596
Donboo, I think you may be on to a winner here as when I disable the TMG service I can ping the ASA but still cannot access the internet so as per you last message need to add a rule on the ASA Nat settings should this just be an internal allowing TCP from 10.1.0.2 to any?

Hopefully I will then be able to access the internet then can restart the TMG services and it must be a TMG rule blocking me from pinging the ASA/accessing the internet when TMG running??

Thanks
Steve

0
 
LVL 9

Expert Comment

by:Donboo
ID: 33650069
I would just uset any any as you Are in troubleshooting mode.

So in the nat statement on the asa change it to any any.

If you then can access the internet then you enable tmg and try again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5520 problem with Failover in Active/Standby 8 68
Videos Blocked on espn.com 7 203
Sonicwall Firewall -- automatic nightly 2am speed tests ? 1 80
ASA DHCP setup 5 29
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question