Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

TMG with 2 nics  in DMZ of ASA - The ASA only has 1 DMZ interface

Posted on 2015-01-19
6
Medium Priority
?
303 Views
Last Modified: 2015-02-04
Hi

ASA has "inside" (LAN) interface    DMZ (1 Interface public IP) and OUTSIDE (internet interface x 1 )

Now TMG proposed is to have it with 2 NICs - one public and one private address - This to perform http reverse proxy - to 3 "internal - LAN side webservers    - See attached pic/diagram of proposed topology

So the traffic coming in to the inside LAN from the TMG will be from the private ip lets say 192.168.3.1 of the TMG private address NIC. Now the issue as I see it is that the ASA only has one "public IP DMZ interface. So how would it receive the traffic from the TMG private address ? I could NAT the TMG private interface to the inside LAN web server - However Im having trouble seeing how the ASA would receive the traffic as it has only 1 public IP dmz interface.

This is a common setup for TMG - im wondering how it will work for me

thanks
TMG-in-DMZ-dual-NIC.PNG
0
Comment
Question by:philb19
6 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 800 total points
ID: 40559936
if the TMG's main purpose is to provide reverse web proxy service for the remote clients accessing the three internal web server across the Internet, and there is only one public IP available on the ASA's external interface, then there is no need to put the TMG in the DMZ zone, just simply put the TMG behind the ASA sitting on the same subnet of the internal web server. A single-arm (NIC) proxy is also possible.

this may significantly reduce the implementation effort also increase the proxy performance as only one set of incoming firewall rules is required for ASA's external traffic (the TMG's external traffic is no longer required). the same for the outgoing traffic, too.
0
 
LVL 1

Author Comment

by:philb19
ID: 40559990
Thanks actually I do have multiple public IPs to use - so its not a problem putting it in DMZ.
Ive set these up before in DMZ with the 1 NIC on the TMG - I advised the external consultants setting up to do it with 1 NIC on TMG - They came back and said its not best practice to do this. - However yes it is just for reverse proxy - So are they right?  seems a bit conflicting online!- I know with 1 NIC on TMG you do lose firewall ability of TMG.

2 use 2 NICs on TMG as they put forward - Im going to have to go down the sub-interface on the ASA DMZ interface in order for the ASA to be aware of the "new" extra subnet. Hmm sure seems easier with 1 NIC on the TMG
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 800 total points
ID: 40560505
I kind of agree with bbao, in that you should only need to use only one leg, however I'd suggest it's safer to use the DMZ to ensure that if anyone does manage to get onto your TMG, they don't get into your LAN at that point.

To be honest I've never seen a 2-legged reverse proxy in a DMZ - it's always a single-leg as you would have to effectively have 2 DMZs for routing to work properly.

In a reverse-proxy scenario it's not mandatory to have a firewall function in TMG and I don't know what benefit your consultants think you'll be gaining by routing via a second NIC on the TMG anyway, unless they are suggesting that the internal leg of the TMG will actually connect to the LAN?  If a consultant ever suggested that to me though I'd sack him instantly!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 37

Expert Comment

by:bbao
ID: 40561733
> I do have multiple public IPs to use - so its not a problem putting it in DMZ

do you have any existing rules against the DMZ on the ASA? if the answer is no, probably you may directly assign a public IP tp the TMG and leave the other NIC for the LAN.
0
 
LVL 5

Assisted Solution

by:Feroz Ahmed
Feroz Ahmed earned 400 total points
ID: 40589365
Hi,

You can try defining DMZ as DMZ1 and DMZ2 .As you have already configured DMZ for Public ip now define the same DMZ as DMZ1 and define Private Ip and do the configuration for Private ip it should work as below :

ASA#hostname DMZ1
ASA#config -t
ASA(Configt)#nameif dmz1
ASA(Configt)#**** (Private Ip ) **** (Subnet Mask)
ASA(Configt)#Security_level 75
ASA(Configt)#no shut
ASA(Configt)#exit.

Then define Access-list and Access-group it should work as DMZ1 and DMZ2 for a single DMZ Interface no need of NIC on a single NIC of DMZ one can define as many as DMZ interfaces.
0
 
LVL 1

Author Closing Comment

by:philb19
ID: 40590366
Thanks all
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month10 days, 14 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question