Announcement

Collapse
No announcement yet.

Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

    hi.

    i have an ISA 2006 server for 7 years.and i want to Install Microsoft Threat Management Gateway 2010.and i have no other choice because it is what the central office wants.anyway.

    i have installed TMG and every thing is okay.but there is a problem.some Clients connect to Internal network in ISA 2006 using vpn.the vpn server is Cisco ASA Firewall.and the edge firewall is ISA Server.and then there is the ASA Firewall.and then there is the local Server.

    in ISA 2006 there is no problem and i have published IKE Server and L2TP server and IPSec server in ISA 2006 to the ASA Firewall IP Address.and everybody can connect.

    now that i have installed TMG and published rules exactly the same way it was implemented in ISA 2006 , clients can connect to TMG Server but they can not Access the Local Server.i have done anything possible.but it was useless.

    by the way at first i could not login by VPN but i read a solution in a forum and them created a site to site!! VPN with fake ip addresses and then the remote client can connect to the ASA VPN but he can not access the local server.i know that the problem lies in TMG Configurations because by replacing the TMG with ISA all the Problems get Solved.What seems to be the problem??

    I Would appreciate any answer in advance.
    Attached Files

  • #2
    Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

    Was the ASA Firewall in place when you were running ISA 2006?
    Is the ISA 2006 Server still around so you can check the Rules that were on it?
    Did you export the Rules or did you manually recreate them?
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

      yes.isa 2006 still exists and now i use isa 2006.when i use isa 2006 every thing is fine.but when i put tmg 2010 vpn users cannot connect correctly from outside.
      all the rules in isa 2006 are implemented exactly in tmg 2010.

      Comment


      • #4
        Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

        I am taking the yes. as meaning ASA was being used when you had ISA 2006.

        Check and see if you have the same groups/OUs, (can't remember what the damned things were called) where users were allowed access based on the different permissions that were assigned to that group/OU. Anyone got ISA/TMG running that can help out? Haven't used ISA for quite some time and settings and permission tabs etc have been forgotten. (I knew I shouldn't have deleted that ISA VM )

        Originally posted by mzbcracker
        all the rules in isa 2006 are implemented exactly in tmg 2010.
        Great, but how was it done? Manually recreated or were the Rules Exported from ISA 2006 and Imported into TMG? If manually then a mistake may/could have been made. If Exported/Imported then they should be exactly the same.
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2

        Comment


        • #5
          Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

          Cisco's VPN client has never been known to play well with any version of ISA/TMG, one of the many reasons I have never liked this front-back firewall configuration that so many people use. TMG is a perfectly capable firewall and VPN endpoint on it's own.

          Anyhoo, leaving my prejudices aside, have a look here:-
          http://www.isaserver.org/articles-tu...ssthrough.html

          The article was written for ISA 2000 but applies to all versions of the product including TMG and should help with your issue.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

            You haven't said anything about the actual rules that are supposed to let the VPN traffic through, nor have you provided many details about the actual VPN setup. You did mention L2TP, so I guess that means you're using L2TP over IPsec?

            The ASA supports a number of different VPN technologies, and each will require different rules in firewalls and filtering routers. L2TP uses IPsec for encryption, which means you'll have to allow ISAKMP/IKE (UDP port 500), ESP (IP protocol 50) and probably IPsec NAT Traversal (UDP port 4500 or possibly TCP port 10000).

            Speaking of NAT, is the external interface of the ASA assigned a public IP address, or is it NATed behind the TMG server?

            Comment


            • #7
              Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

              thank you.
              external interface of the ASA has it's own ip address and i have a publishing rule in tmg so that tmg sends ike , ipsec and IPsec NAT Traversal traffic to that ip address.it works very well on isa.
              to be honest i have not imported configuration of is to tmg.i have manually created rules.i'm gonna export and import them.i'm badly stuck and my boss is really angry with me.it's about 1 month that i can not do that.we have bought a new server for tmg and we are still using the old isa server.
              i would appreciate any help that might solve my problem.

              Comment


              • #8
                Re: Problem Forwarding Cisco ASA IPSec VPN Traffic through Microsoft TMG 2010?

                Just to be perfectly clear, when you say the ASA has "its own IP address", you're referring to a public, routable IP address, right? In that case, make sure the TMG routing rule between the routable addresses in the "ASA" network and the Internet is "route", not "NAT".

                In the TMG firewall, you will need to allow 3 types of traffic:
                1. UDP port 500 (IKE/ISAKMP) for the initial SA negotiations and any subsequent re-keying
                2. IP protocol 50 (ESP) for the actual tunnel
                3. UDP port 4500 (NAT Traversal) for encapsulated ESP packets in NAT scenarios
                4. Cisco equipment and VPN software can do AH/ESP NAT-T over TCP port 10000 instead of UDP port 4500, so you may want to allow that as well

                Item 2 may seem redundant if you're using NAT-T, but unfortunately IKE v1 (which is still the only IKE version supported by a lot of equipment) provides no mechanism for detecting NAT other than trying (and failing) to get a valid ESP packet to the other endpoint. This is why inbound IPsec against an endpoint behind NAT usually doesn't work, because there's no way to "forward" ESP traffic to another IP address. It's not a port number, it's an entire IP protocol.

                A fairly easy way to figure out exactly what's going on, would be to run Wireshark on the TMG server and have it capture packets on the NIC facing the ASA. This Wireshark/tcpdump capture filter should do the trick: udp port 500 or udp port 4500 or esp. Try connecting to the ASA from the outside with Wireshark running, and see if the packets make it through in one piece and without being NATed by the TMG.

                Comment

                Working...
                X