Solved

ASA 5520 and MS TMG Server

Posted on 2011-03-09
8
818 Views
Last Modified: 2012-05-11
We have this ASA connected to Cisco 6506 switch:
VLAN 30 subnet 10.10.10.0/27 for TMG internal on the switch the interface VLAN 30 is 10.10.10.30
VLAN 36 subnet 192.168.29.0/27 for TMG external on the switch the interface VLAN 36 is 192.168.29.30
inside LAN subnets:
172.24.21.0/24
172.24.22.0/24
 172.24.25.0/24
 172.24.29.0/24
Subnets through the LAN connect to our HQ:
172.18.8.0/24
 172.20.0.0/16
 172.21.0.0/16
172.23.0.0/16
DMVPN subnet 172.48.8.0/30 this one connected to Cisco 2821 DMVPN router
we added this TMG-IN and OUT recently they are trying to configure Microsoft TMG server to be in a DMZ kind of thing.  When they configure static route on the TMG server 10.10.10.30 (interface VLAN 30 on the switch) as a next hob they can ping everything on the LAN and it looks like everything open wide! from 10.10.10.0 network  to 172.x.x.x network and I don’t see the traffic coming to the ASA for the 10.10.10.0 network! I asked them to configure static route on the TMG server 10.10.10.29 (Interface TMG-IN on ASA) as next hob but as soon as they do that they lose connectivity and I see this in the ASA log:
 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp  80 172.24.21.x src TMG-IN 10.10.10.1 denied due to NAT reverse path failure

Network diagram and ASA config are attached.
Any help would be appreciated!
Thank you,
Mo

ASA-Config.txt
Network-Diagram.doc
0
Comment
Question by:modathir
  • 3
  • 3
  • 2
8 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35093326
I assume you put in the nat0 statements because you don't want to nat between the 10.10.10.x and 172.24.21.x networks?

If so, lets try this another way and see if we first can get this connected.

Remove the
nat (TMG-IN) 0 10.10.10.0 255.255.255.0
and add
static (inside,TMG-IN) 172.24.21.0 172.24.21.0 netmask 255.255.255.0

And see how that works out.

0
 
LVL 28

Expert Comment

by:asavener
ID: 35095105
VLAN 30 subnet 10.10.10.0/27 for TMG internal
So the traffic is coming into the TMG servers internal interface?

And the traffic is actually sourced from other subnets, routed over the DMVPN?

If the source subnet is defined as internal, then the TMG server is going to allow connections.
0
 
LVL 5

Author Comment

by:modathir
ID: 35099476
Still anything accessable from LAN to TMG and TMG to LAN and when I filter the log on ASA with 10.10.10 I don't see any traffic on that network!!!!!
0
 
LVL 28

Expert Comment

by:asavener
ID: 35100518
Do you have a network diagram?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35100644
So tell us, what did you change?
0
 
LVL 5

Author Comment

by:modathir
ID: 35105674
Hi erniebeek:
I did your changes but still no luck! Finally were able to fix it, it was a routing issue, I made the connection from the switch to the ASA layer 2 connection removed the VLAN interface 30 from the switch and added static route 10.10.10.0 255.255.255.224 172.24.21.253 (the inside interface on the ASA) and that resolved the problem.
erniebeek I will give the points your answer was part of the solution ,  Thanks everyone!
Mo
0
 
LVL 5

Author Closing Comment

by:modathir
ID: 35105696
This answer was part of the solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35106509
Thank you, glad I could help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor bandwidth 3 86
network monitoring tools / software 5 108
PEAP authentication 7 30
Punctured RAID5 Array on Cisco UCS server. 6 18
When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now