?
Solved

TMG with 2 nics  in DMZ of ASA - The ASA only has 1 DMZ interface

Posted on 2015-01-19
6
Medium Priority
?
315 Views
Last Modified: 2015-02-04
Hi

ASA has "inside" (LAN) interface    DMZ (1 Interface public IP) and OUTSIDE (internet interface x 1 )

Now TMG proposed is to have it with 2 NICs - one public and one private address - This to perform http reverse proxy - to 3 "internal - LAN side webservers    - See attached pic/diagram of proposed topology

So the traffic coming in to the inside LAN from the TMG will be from the private ip lets say 192.168.3.1 of the TMG private address NIC. Now the issue as I see it is that the ASA only has one "public IP DMZ interface. So how would it receive the traffic from the TMG private address ? I could NAT the TMG private interface to the inside LAN web server - However Im having trouble seeing how the ASA would receive the traffic as it has only 1 public IP dmz interface.

This is a common setup for TMG - im wondering how it will work for me

thanks
TMG-in-DMZ-dual-NIC.PNG
0
Comment
Question by:philb19
6 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 800 total points
ID: 40559936
if the TMG's main purpose is to provide reverse web proxy service for the remote clients accessing the three internal web server across the Internet, and there is only one public IP available on the ASA's external interface, then there is no need to put the TMG in the DMZ zone, just simply put the TMG behind the ASA sitting on the same subnet of the internal web server. A single-arm (NIC) proxy is also possible.

this may significantly reduce the implementation effort also increase the proxy performance as only one set of incoming firewall rules is required for ASA's external traffic (the TMG's external traffic is no longer required). the same for the outgoing traffic, too.
0
 
LVL 1

Author Comment

by:philb19
ID: 40559990
Thanks actually I do have multiple public IPs to use - so its not a problem putting it in DMZ.
Ive set these up before in DMZ with the 1 NIC on the TMG - I advised the external consultants setting up to do it with 1 NIC on TMG - They came back and said its not best practice to do this. - However yes it is just for reverse proxy - So are they right?  seems a bit conflicting online!- I know with 1 NIC on TMG you do lose firewall ability of TMG.

2 use 2 NICs on TMG as they put forward - Im going to have to go down the sub-interface on the ASA DMZ interface in order for the ASA to be aware of the "new" extra subnet. Hmm sure seems easier with 1 NIC on the TMG
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 800 total points
ID: 40560505
I kind of agree with bbao, in that you should only need to use only one leg, however I'd suggest it's safer to use the DMZ to ensure that if anyone does manage to get onto your TMG, they don't get into your LAN at that point.

To be honest I've never seen a 2-legged reverse proxy in a DMZ - it's always a single-leg as you would have to effectively have 2 DMZs for routing to work properly.

In a reverse-proxy scenario it's not mandatory to have a firewall function in TMG and I don't know what benefit your consultants think you'll be gaining by routing via a second NIC on the TMG anyway, unless they are suggesting that the internal leg of the TMG will actually connect to the LAN?  If a consultant ever suggested that to me though I'd sack him instantly!
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 37

Expert Comment

by:bbao
ID: 40561733
> I do have multiple public IPs to use - so its not a problem putting it in DMZ

do you have any existing rules against the DMZ on the ASA? if the answer is no, probably you may directly assign a public IP tp the TMG and leave the other NIC for the LAN.
0
 
LVL 5

Assisted Solution

by:Feroz Ahmed
Feroz Ahmed earned 400 total points
ID: 40589365
Hi,

You can try defining DMZ as DMZ1 and DMZ2 .As you have already configured DMZ for Public ip now define the same DMZ as DMZ1 and define Private Ip and do the configuration for Private ip it should work as below :

ASA#hostname DMZ1
ASA#config -t
ASA(Configt)#nameif dmz1
ASA(Configt)#**** (Private Ip ) **** (Subnet Mask)
ASA(Configt)#Security_level 75
ASA(Configt)#no shut
ASA(Configt)#exit.

Then define Access-list and Access-group it should work as DMZ1 and DMZ2 for a single DMZ Interface no need of NIC on a single NIC of DMZ one can define as many as DMZ interfaces.
0
 
LVL 1

Author Closing Comment

by:philb19
ID: 40590366
Thanks all
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question