Solved

TMG with 2 nics  in DMZ of ASA - The ASA only has 1 DMZ interface

Posted on 2015-01-19
6
260 Views
Last Modified: 2015-02-04
Hi

ASA has "inside" (LAN) interface    DMZ (1 Interface public IP) and OUTSIDE (internet interface x 1 )

Now TMG proposed is to have it with 2 NICs - one public and one private address - This to perform http reverse proxy - to 3 "internal - LAN side webservers    - See attached pic/diagram of proposed topology

So the traffic coming in to the inside LAN from the TMG will be from the private ip lets say 192.168.3.1 of the TMG private address NIC. Now the issue as I see it is that the ASA only has one "public IP DMZ interface. So how would it receive the traffic from the TMG private address ? I could NAT the TMG private interface to the inside LAN web server - However Im having trouble seeing how the ASA would receive the traffic as it has only 1 public IP dmz interface.

This is a common setup for TMG - im wondering how it will work for me

thanks
TMG-in-DMZ-dual-NIC.PNG
0
Comment
Question by:philb19
6 Comments
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 200 total points
ID: 40559936
if the TMG's main purpose is to provide reverse web proxy service for the remote clients accessing the three internal web server across the Internet, and there is only one public IP available on the ASA's external interface, then there is no need to put the TMG in the DMZ zone, just simply put the TMG behind the ASA sitting on the same subnet of the internal web server. A single-arm (NIC) proxy is also possible.

this may significantly reduce the implementation effort also increase the proxy performance as only one set of incoming firewall rules is required for ASA's external traffic (the TMG's external traffic is no longer required). the same for the outgoing traffic, too.
0
 

Author Comment

by:philb19
ID: 40559990
Thanks actually I do have multiple public IPs to use - so its not a problem putting it in DMZ.
Ive set these up before in DMZ with the 1 NIC on the TMG - I advised the external consultants setting up to do it with 1 NIC on TMG - They came back and said its not best practice to do this. - However yes it is just for reverse proxy - So are they right?  seems a bit conflicting online!- I know with 1 NIC on TMG you do lose firewall ability of TMG.

2 use 2 NICs on TMG as they put forward - Im going to have to go down the sub-interface on the ASA DMZ interface in order for the ASA to be aware of the "new" extra subnet. Hmm sure seems easier with 1 NIC on the TMG
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 200 total points
ID: 40560505
I kind of agree with bbao, in that you should only need to use only one leg, however I'd suggest it's safer to use the DMZ to ensure that if anyone does manage to get onto your TMG, they don't get into your LAN at that point.

To be honest I've never seen a 2-legged reverse proxy in a DMZ - it's always a single-leg as you would have to effectively have 2 DMZs for routing to work properly.

In a reverse-proxy scenario it's not mandatory to have a firewall function in TMG and I don't know what benefit your consultants think you'll be gaining by routing via a second NIC on the TMG anyway, unless they are suggesting that the internal leg of the TMG will actually connect to the LAN?  If a consultant ever suggested that to me though I'd sack him instantly!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40561733
> I do have multiple public IPs to use - so its not a problem putting it in DMZ

do you have any existing rules against the DMZ on the ASA? if the answer is no, probably you may directly assign a public IP tp the TMG and leave the other NIC for the LAN.
0
 
LVL 5

Assisted Solution

by:Feroz Ahmed
Feroz Ahmed earned 100 total points
ID: 40589365
Hi,

You can try defining DMZ as DMZ1 and DMZ2 .As you have already configured DMZ for Public ip now define the same DMZ as DMZ1 and define Private Ip and do the configuration for Private ip it should work as below :

ASA#hostname DMZ1
ASA#config -t
ASA(Configt)#nameif dmz1
ASA(Configt)#**** (Private Ip ) **** (Subnet Mask)
ASA(Configt)#Security_level 75
ASA(Configt)#no shut
ASA(Configt)#exit.

Then define Access-list and Access-group it should work as DMZ1 and DMZ2 for a single DMZ Interface no need of NIC on a single NIC of DMZ one can define as many as DMZ interfaces.
0
 

Author Closing Comment

by:philb19
ID: 40590366
Thanks all
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now