ASA 5520 and MS TMG Server
We have this ASA connected to Cisco 6506 switch:
VLAN 30 subnet 10.10.10.0/27 for TMG internal on the switch the interface VLAN 30 is 10.10.10.30
VLAN 36 subnet 192.168.29.0/27 for TMG external on the switch the interface VLAN 36 is 192.168.29.30
inside LAN subnets:
172.24.21.0/24
172.24.22.0/24
172.24.25.0/24
172.24.29.0/24
Subnets through the LAN connect to our HQ:
172.18.8.0/24
172.20.0.0/16
172.21.0.0/16
172.23.0.0/16
DMVPN subnet 172.48.8.0/30 this one connected to Cisco 2821 DMVPN router
we added this TMG-IN and OUT recently they are trying to configure Microsoft TMG server to be in a DMZ kind of thing. When they configure static route on the TMG server 10.10.10.30 (interface VLAN 30 on the switch) as a next hob they can ping everything on the LAN and it looks like everything open wide! from 10.10.10.0 network to 172.x.x.x network and I don’t see the traffic coming to the ASA for the 10.10.10.0 network! I asked them to configure static route on the TMG server 10.10.10.29 (Interface TMG-IN on ASA) as next hob but as soon as they do that they lose connectivity and I see this in the ASA log:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp 80 172.24.21.x src TMG-IN 10.10.10.1 denied due to NAT reverse path failure
Network diagram and ASA config are attached.
Any help would be appreciated!
Thank you,
Mo
ASA-Config.txt
Network-Diagram.doc
VLAN 30 subnet 10.10.10.0/27 for TMG internal on the switch the interface VLAN 30 is 10.10.10.30
VLAN 36 subnet 192.168.29.0/27 for TMG external on the switch the interface VLAN 36 is 192.168.29.30
inside LAN subnets:
172.24.21.0/24
172.24.22.0/24
172.24.25.0/24
172.24.29.0/24
Subnets through the LAN connect to our HQ:
172.18.8.0/24
172.20.0.0/16
172.21.0.0/16
172.23.0.0/16
DMVPN subnet 172.48.8.0/30 this one connected to Cisco 2821 DMVPN router
we added this TMG-IN and OUT recently they are trying to configure Microsoft TMG server to be in a DMZ kind of thing. When they configure static route on the TMG server 10.10.10.30 (interface VLAN 30 on the switch) as a next hob they can ping everything on the LAN and it looks like everything open wide! from 10.10.10.0 network to 172.x.x.x network and I don’t see the traffic coming to the ASA for the 10.10.10.0 network! I asked them to configure static route on the TMG server 10.10.10.29 (Interface TMG-IN on ASA) as next hob but as soon as they do that they lose connectivity and I see this in the ASA log:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp 80 172.24.21.x src TMG-IN 10.10.10.1 denied due to NAT reverse path failure
Network diagram and ASA config are attached.
Any help would be appreciated!
Thank you,
Mo
ASA-Config.txt
Network-Diagram.doc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still anything accessable from LAN to TMG and TMG to LAN and when I filter the log on ASA with 10.10.10 I don't see any traffic on that network!!!!!
Do you have a network diagram?
So tell us, what did you change?
ASKER
Hi erniebeek:
I did your changes but still no luck! Finally were able to fix it, it was a routing issue, I made the connection from the switch to the ASA layer 2 connection removed the VLAN interface 30 from the switch and added static route 10.10.10.0 255.255.255.224 172.24.21.253 (the inside interface on the ASA) and that resolved the problem.
erniebeek I will give the points your answer was part of the solution , Thanks everyone!
Mo
I did your changes but still no luck! Finally were able to fix it, it was a routing issue, I made the connection from the switch to the ASA layer 2 connection removed the VLAN interface 30 from the switch and added static route 10.10.10.0 255.255.255.224 172.24.21.253 (the inside interface on the ASA) and that resolved the problem.
erniebeek I will give the points your answer was part of the solution , Thanks everyone!
Mo
ASKER
This answer was part of the solution.
Thank you, glad I could help.
And the traffic is actually sourced from other subnets, routed over the DMVPN?
If the source subnet is defined as internal, then the TMG server is going to allow connections.