TMG with 2 nics in DMZ of ASA - The ASA only has 1 DMZ interface

Hi

ASA has "inside" (LAN) interface    DMZ (1 Interface public IP) and OUTSIDE (internet interface x 1 )

Now TMG proposed is to have it with 2 NICs - one public and one private address - This to perform http reverse proxy - to 3 "internal - LAN side webservers    - See attached pic/diagram of proposed topology

So the traffic coming in to the inside LAN from the TMG will be from the private ip lets say 192.168.3.1 of the TMG private address NIC. Now the issue as I see it is that the ASA only has one "public IP DMZ interface. So how would it receive the traffic from the TMG private address ? I could NAT the TMG private interface to the inside LAN web server - However Im having trouble seeing how the ASA would receive the traffic as it has only 1 public IP dmz interface.

This is a common setup for TMG - im wondering how it will work for me

thanks
TMG-in-DMZ-dual-NIC.PNG
LVL 1
philb19Asked:
Who is Participating?
 
Craig BeckCommented:
I kind of agree with bbao, in that you should only need to use only one leg, however I'd suggest it's safer to use the DMZ to ensure that if anyone does manage to get onto your TMG, they don't get into your LAN at that point.

To be honest I've never seen a 2-legged reverse proxy in a DMZ - it's always a single-leg as you would have to effectively have 2 DMZs for routing to work properly.

In a reverse-proxy scenario it's not mandatory to have a firewall function in TMG and I don't know what benefit your consultants think you'll be gaining by routing via a second NIC on the TMG anyway, unless they are suggesting that the internal leg of the TMG will actually connect to the LAN?  If a consultant ever suggested that to me though I'd sack him instantly!
0
 
bbaoIT ConsultantCommented:
if the TMG's main purpose is to provide reverse web proxy service for the remote clients accessing the three internal web server across the Internet, and there is only one public IP available on the ASA's external interface, then there is no need to put the TMG in the DMZ zone, just simply put the TMG behind the ASA sitting on the same subnet of the internal web server. A single-arm (NIC) proxy is also possible.

this may significantly reduce the implementation effort also increase the proxy performance as only one set of incoming firewall rules is required for ASA's external traffic (the TMG's external traffic is no longer required). the same for the outgoing traffic, too.
0
 
philb19Author Commented:
Thanks actually I do have multiple public IPs to use - so its not a problem putting it in DMZ.
Ive set these up before in DMZ with the 1 NIC on the TMG - I advised the external consultants setting up to do it with 1 NIC on TMG - They came back and said its not best practice to do this. - However yes it is just for reverse proxy - So are they right?  seems a bit conflicting online!- I know with 1 NIC on TMG you do lose firewall ability of TMG.

2 use 2 NICs on TMG as they put forward - Im going to have to go down the sub-interface on the ASA DMZ interface in order for the ASA to be aware of the "new" extra subnet. Hmm sure seems easier with 1 NIC on the TMG
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
bbaoIT ConsultantCommented:
> I do have multiple public IPs to use - so its not a problem putting it in DMZ

do you have any existing rules against the DMZ on the ASA? if the answer is no, probably you may directly assign a public IP tp the TMG and leave the other NIC for the LAN.
0
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

You can try defining DMZ as DMZ1 and DMZ2 .As you have already configured DMZ for Public ip now define the same DMZ as DMZ1 and define Private Ip and do the configuration for Private ip it should work as below :

ASA#hostname DMZ1
ASA#config -t
ASA(Configt)#nameif dmz1
ASA(Configt)#**** (Private Ip ) **** (Subnet Mask)
ASA(Configt)#Security_level 75
ASA(Configt)#no shut
ASA(Configt)#exit.

Then define Access-list and Access-group it should work as DMZ1 and DMZ2 for a single DMZ Interface no need of NIC on a single NIC of DMZ one can define as many as DMZ interfaces.
0
 
philb19Author Commented:
Thanks all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.