Solved

TMG with 2 nics  in DMZ of ASA - The ASA only has 1 DMZ interface

Posted on 2015-01-19
6
263 Views
Last Modified: 2015-02-04
Hi

ASA has "inside" (LAN) interface    DMZ (1 Interface public IP) and OUTSIDE (internet interface x 1 )

Now TMG proposed is to have it with 2 NICs - one public and one private address - This to perform http reverse proxy - to 3 "internal - LAN side webservers    - See attached pic/diagram of proposed topology

So the traffic coming in to the inside LAN from the TMG will be from the private ip lets say 192.168.3.1 of the TMG private address NIC. Now the issue as I see it is that the ASA only has one "public IP DMZ interface. So how would it receive the traffic from the TMG private address ? I could NAT the TMG private interface to the inside LAN web server - However Im having trouble seeing how the ASA would receive the traffic as it has only 1 public IP dmz interface.

This is a common setup for TMG - im wondering how it will work for me

thanks
TMG-in-DMZ-dual-NIC.PNG
0
Comment
Question by:philb19
6 Comments
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 200 total points
ID: 40559936
if the TMG's main purpose is to provide reverse web proxy service for the remote clients accessing the three internal web server across the Internet, and there is only one public IP available on the ASA's external interface, then there is no need to put the TMG in the DMZ zone, just simply put the TMG behind the ASA sitting on the same subnet of the internal web server. A single-arm (NIC) proxy is also possible.

this may significantly reduce the implementation effort also increase the proxy performance as only one set of incoming firewall rules is required for ASA's external traffic (the TMG's external traffic is no longer required). the same for the outgoing traffic, too.
0
 

Author Comment

by:philb19
ID: 40559990
Thanks actually I do have multiple public IPs to use - so its not a problem putting it in DMZ.
Ive set these up before in DMZ with the 1 NIC on the TMG - I advised the external consultants setting up to do it with 1 NIC on TMG - They came back and said its not best practice to do this. - However yes it is just for reverse proxy - So are they right?  seems a bit conflicting online!- I know with 1 NIC on TMG you do lose firewall ability of TMG.

2 use 2 NICs on TMG as they put forward - Im going to have to go down the sub-interface on the ASA DMZ interface in order for the ASA to be aware of the "new" extra subnet. Hmm sure seems easier with 1 NIC on the TMG
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 200 total points
ID: 40560505
I kind of agree with bbao, in that you should only need to use only one leg, however I'd suggest it's safer to use the DMZ to ensure that if anyone does manage to get onto your TMG, they don't get into your LAN at that point.

To be honest I've never seen a 2-legged reverse proxy in a DMZ - it's always a single-leg as you would have to effectively have 2 DMZs for routing to work properly.

In a reverse-proxy scenario it's not mandatory to have a firewall function in TMG and I don't know what benefit your consultants think you'll be gaining by routing via a second NIC on the TMG anyway, unless they are suggesting that the internal leg of the TMG will actually connect to the LAN?  If a consultant ever suggested that to me though I'd sack him instantly!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40561733
> I do have multiple public IPs to use - so its not a problem putting it in DMZ

do you have any existing rules against the DMZ on the ASA? if the answer is no, probably you may directly assign a public IP tp the TMG and leave the other NIC for the LAN.
0
 
LVL 5

Assisted Solution

by:Feroz Ahmed
Feroz Ahmed earned 100 total points
ID: 40589365
Hi,

You can try defining DMZ as DMZ1 and DMZ2 .As you have already configured DMZ for Public ip now define the same DMZ as DMZ1 and define Private Ip and do the configuration for Private ip it should work as below :

ASA#hostname DMZ1
ASA#config -t
ASA(Configt)#nameif dmz1
ASA(Configt)#**** (Private Ip ) **** (Subnet Mask)
ASA(Configt)#Security_level 75
ASA(Configt)#no shut
ASA(Configt)#exit.

Then define Access-list and Access-group it should work as DMZ1 and DMZ2 for a single DMZ Interface no need of NIC on a single NIC of DMZ one can define as many as DMZ interfaces.
0
 

Author Closing Comment

by:philb19
ID: 40590366
Thanks all
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now