ASA 5520 and MS TMG Server

Posted on 2011-03-09
Last Modified: 2012-05-11
We have this ASA connected to Cisco 6506 switch:
VLAN 30 subnet for TMG internal on the switch the interface VLAN 30 is
VLAN 36 subnet for TMG external on the switch the interface VLAN 36 is
inside LAN subnets:
Subnets through the LAN connect to our HQ:
DMVPN subnet this one connected to Cisco 2821 DMVPN router
we added this TMG-IN and OUT recently they are trying to configure Microsoft TMG server to be in a DMZ kind of thing.  When they configure static route on the TMG server (interface VLAN 30 on the switch) as a next hob they can ping everything on the LAN and it looks like everything open wide! from network  to 172.x.x.x network and I don’t see the traffic coming to the ASA for the network! I asked them to configure static route on the TMG server (Interface TMG-IN on ASA) as next hob but as soon as they do that they lose connectivity and I see this in the ASA log:
 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp  80 172.24.21.x src TMG-IN denied due to NAT reverse path failure

Network diagram and ASA config are attached.
Any help would be appreciated!
Thank you,

Question by:modathir
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 35

Accepted Solution

Ernie Beek earned 500 total points
ID: 35093326
I assume you put in the nat0 statements because you don't want to nat between the 10.10.10.x and 172.24.21.x networks?

If so, lets try this another way and see if we first can get this connected.

Remove the
nat (TMG-IN) 0
and add
static (inside,TMG-IN) netmask

And see how that works out.

LVL 28

Expert Comment

ID: 35095105
VLAN 30 subnet for TMG internal
So the traffic is coming into the TMG servers internal interface?

And the traffic is actually sourced from other subnets, routed over the DMVPN?

If the source subnet is defined as internal, then the TMG server is going to allow connections.

Author Comment

ID: 35099476
Still anything accessable from LAN to TMG and TMG to LAN and when I filter the log on ASA with 10.10.10 I don't see any traffic on that network!!!!!
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 28

Expert Comment

ID: 35100518
Do you have a network diagram?
LVL 35

Expert Comment

by:Ernie Beek
ID: 35100644
So tell us, what did you change?

Author Comment

ID: 35105674
Hi erniebeek:
I did your changes but still no luck! Finally were able to fix it, it was a routing issue, I made the connection from the switch to the ASA layer 2 connection removed the VLAN interface 30 from the switch and added static route (the inside interface on the ASA) and that resolved the problem.
erniebeek I will give the points your answer was part of the solution ,  Thanks everyone!

Author Closing Comment

ID: 35105696
This answer was part of the solution.
LVL 35

Expert Comment

by:Ernie Beek
ID: 35106509
Thank you, glad I could help.

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 blocks telnet 11 63
Cisco 2911 Router - slow download speeds but very fast upload speeds 5 76
Cisco 3650x ACL 8 50
internal SLA's for IT provision 6 36
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question