Bicesterlad
asked on
TMG Server on Hyper-V behind Cisco ASA problem
I have installed Threat Management Gateway 2010 as a back end firewall configuration on a virtual server on a Windows Server 2008 Hyper V host, this has 2 virtual network cards on 2 different VLANS (100 and 1001) and plugs into my 3COM core switch, I have a Cisco ASA that also plus into my core switch allowing VLANS 100 and 199), my internet connection also plugs onto the core switch on VLAN 199.
The TMG server is new, before I added this the core switch passed any external requests onto the ASA which routes out to the internet line.
I am now trying to use the TMG server as a web proxy to block internet access to anyone without an allow rule and monitor what those are accessing it are looking at.
The TMG server can access the internal network fine and the default gateway is set to vlan 100 (to the ASA which it can ping).
I can't however access the internet from the TMG server it responds with a 10060 connection timeout and says the gatewat could not receive a timely response....
I would like to keep the ASA in place as a front firewall and just use TMG as a back firewall and proxy server for controlling internet.
Can anyone point me in the direction of where I am going wrong? Diagram attached.
Many thanks,
Steve
The TMG server is new, before I added this the core switch passed any external requests onto the ASA which routes out to the internet line.
I am now trying to use the TMG server as a web proxy to block internet access to anyone without an allow rule and monitor what those are accessing it are looking at.
The TMG server can access the internal network fine and the default gateway is set to vlan 100 (to the ASA which it can ping).
I can't however access the internet from the TMG server it responds with a 10060 connection timeout and says the gatewat could not receive a timely response....
I would like to keep the ASA in place as a front firewall and just use TMG as a back firewall and proxy server for controlling internet.
Can anyone point me in the direction of where I am going wrong? Diagram attached.
Many thanks,
Steve
ASKER
Hi Geert, thanks for your reply.
I now can't ping my asa (10.1.0.2) which is set as the default gateway on the external nic of the TMG server, I think it may have something to do with my IP address ranges for the perimeter/internal network I presume the ASA is now located in the perimeter network? and the TMG on the internal so have 10.1.0.0 to 10.1.0.255 included in perimeter and 10.0.0.0 to 10.0.255.255 and 10.1.1.0 to 10.255.255.255 included in my internal.
I have rules allowing SMTP, DNS,LDAP, HTTP/S, ping, RDP, RPC, NetBIOS from internal to internal and allowing HTTP/S from internal to perimeter/external - have also added a rule allowing all protocols to try and eliminate that beig the problem.
DNS seems fine and I have not had any issues with this, cant pint the ASA by IP though since setting up the perimeter IP range.
Routes all seem to be set ok gateway for 0.0.0.0 is ASA
Switch config all good with the ports allowing all required VLANS.
Really stumped what is wrong?
thanks,
Steve
I now can't ping my asa (10.1.0.2) which is set as the default gateway on the external nic of the TMG server, I think it may have something to do with my IP address ranges for the perimeter/internal network I presume the ASA is now located in the perimeter network? and the TMG on the internal so have 10.1.0.0 to 10.1.0.255 included in perimeter and 10.0.0.0 to 10.0.255.255 and 10.1.1.0 to 10.255.255.255 included in my internal.
I have rules allowing SMTP, DNS,LDAP, HTTP/S, ping, RDP, RPC, NetBIOS from internal to internal and allowing HTTP/S from internal to perimeter/external - have also added a rule allowing all protocols to try and eliminate that beig the problem.
DNS seems fine and I have not had any issues with this, cant pint the ASA by IP though since setting up the perimeter IP range.
Routes all seem to be set ok gateway for 0.0.0.0 is ASA
Switch config all good with the ports allowing all required VLANS.
Really stumped what is wrong?
thanks,
Steve
You didnt attach the diagram.
How is the network configured? The lan the network between the asa and the tmg?
If you disable the web proxy, does if work then?
Can you monitor the session, do you see anything logs and reporting logging tab.
How is the network configured? The lan the network between the asa and the tmg?
If you disable the web proxy, does if work then?
Can you monitor the session, do you see anything logs and reporting logging tab.
ASKER
Opps, didn't realise :-) Diagram attached hope it makes sense.
The current route for 0.0.0.0 on the 3com core switch is the ASA 10.1.0.2 and this is working fine so users currently have internet access, what i'd like to to is get the TMG server working with internet access through the asa then once this is working change the route for 0.0.0.0 on the core switch to the TMG, at the moment I can't block internet access for anyone on the network easily.
The TMG is talking to the internet network fine but going out through 10.1.0.3 to the ASA on 10.1.0.2 no response, I also can't ping 10.1.0.1 on the croe switch. my ports are allowing the correct VLANs and before I put TMG into back firewall mode (from single nic) this network card (10.1.0.3) could ping both 10.1.0.1 and 10.1.0.2 which I why I think its something to do with the perimeter network settings.
I am in a mess or does it all make sense and there is a logical reason?
Many thanks.
TMGPlan.jpg
The current route for 0.0.0.0 on the 3com core switch is the ASA 10.1.0.2 and this is working fine so users currently have internet access, what i'd like to to is get the TMG server working with internet access through the asa then once this is working change the route for 0.0.0.0 on the core switch to the TMG, at the moment I can't block internet access for anyone on the network easily.
The TMG is talking to the internet network fine but going out through 10.1.0.3 to the ASA on 10.1.0.2 no response, I also can't ping 10.1.0.1 on the croe switch. my ports are allowing the correct VLANs and before I put TMG into back firewall mode (from single nic) this network card (10.1.0.3) could ping both 10.1.0.1 and 10.1.0.2 which I why I think its something to do with the perimeter network settings.
I am in a mess or does it all make sense and there is a logical reason?
Many thanks.
TMGPlan.jpg
ASKER
P.S Doesn't work if I disable the proxy and in my logging just see 10060 connection failed errors presumably as I can't ping the DG?
ASKER
has no one any ideas?
Thanks in advance.....
Thanks in advance.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just putting in a checklist for you.
1. Check the ASA default route is set for the ISP GW.
2. Check the ASA can ping the ISP GW.
3. Check the ASA can ping something in the internet you know responds to ICMP. ( remember to check the ICMP rules of the ASA)
4. check the ASA can ping TMG servers IP.
5. Check the TMG server´s IP settings on its external NIC. default GW must point to the ASA.
6. Check the TMG server´s IP setting on its internal NC. No default GW must be configured here. ( check with "route print" that the default GW is correct).
7. Ping the ASAs IP from the TMG server (disable the TMG service so you can eliminate the network path)
8. Ping something in the internet you reponds to ICMP. (remember to permit ICMP in the ASAs Access-list and enable ICMP inspection.
1. Check the ASA default route is set for the ISP GW.
2. Check the ASA can ping the ISP GW.
3. Check the ASA can ping something in the internet you know responds to ICMP. ( remember to check the ICMP rules of the ASA)
4. check the ASA can ping TMG servers IP.
5. Check the TMG server´s IP settings on its external NIC. default GW must point to the ASA.
6. Check the TMG server´s IP setting on its internal NC. No default GW must be configured here. ( check with "route print" that the default GW is correct).
7. Ping the ASAs IP from the TMG server (disable the TMG service so you can eliminate the network path)
8. Ping something in the internet you reponds to ICMP. (remember to permit ICMP in the ASAs Access-list and enable ICMP inspection.
Forgot to add you need to check the ASAs NAt settings that it permits the TMG server´s external interface.
ASKER
Donboo, I think you may be on to a winner here as when I disable the TMG service I can ping the ASA but still cannot access the internet so as per you last message need to add a rule on the ASA Nat settings should this just be an internal allowing TCP from 10.1.0.2 to any?
Hopefully I will then be able to access the internet then can restart the TMG services and it must be a TMG rule blocking me from pinging the ASA/accessing the internet when TMG running??
Thanks
Steve
Hopefully I will then be able to access the internet then can restart the TMG services and it must be a TMG rule blocking me from pinging the ASA/accessing the internet when TMG running??
Thanks
Steve
I would just uset any any as you Are in troubleshooting mode.
So in the nat statement on the asa change it to any any.
If you then can access the internet then you enable tmg and try again.
So in the nat statement on the asa change it to any any.
If you then can access the internet then you enable tmg and try again.
- check the TMG nic pointing to the ASA; does this one have in it's IP settings the IP from the ASA as a gateway? Else it will look on the VLAN and may not find the correct path to route to external.
- How's your DNS? Can you resolve addresses on the ISA (command prompt - ping www.google.be). If not can you access a site by IP? If not then it's indeed a network/TMG issue and this may also cause DNS not to be able to send out external requests. If you can access by IP then it might be a DNS issue.
- what routing rules do you have in your "networks" section on TMG? before you can use firewall rules to allow certain traffic, you also need a more general routing rule to link otherwise completely separated networks (between your internal network 1001 and "external" 100)
- do you have a firewall rule in place allowing internet traffic from localhost to external? I'm not certain as to whether this is enabled by default or you need to allow localhost to access internet manually.
- how's your switch config? Certain there's no problem with the VLAN 100? Ports configured correctly?
Regards,
Geert