Announcement

Collapse
No announcement yet.

TMG behind Cisco ASA

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • TMG behind Cisco ASA

    Hello,
    I am trying to achieve the below setup.

    Internet>>Router>>ASA>>TMG>>LAN Switch.

    I want to have TMG Firewall behind ASA for enhanced security.

    External interface E0/0 of ASA connected to ISP Router
    Internal Interface E0/1 of ASA connected to TMG External Interface
    Internal Interface of TMG connected to Cisco Multilayer Switch.

    I am confused with configuration of TMG Interface Network Settings. ?
    What static route I have to configure on ASA ?
    What NAT confguration I had to apply on ASA

    Any help.

    Samir

  • #2
    Re: TMG behind Cisco ASA

    TMG is a more than capable firewall on its own but if you have an ASA box in front it should still be ok. Just create a 1 to 1 Nat rule to the TMG external interface and restrict the traffic to just port 80 and 443.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: TMG behind Cisco ASA

      Completely pointless IMO, if you have spent the money on TMG bin the ASA. The only valid scenario for using 2 devices like this IME is using TMG as a single-NIC reverse proxy, and that is a waste to TMG given how expensive it is.

      Aside from that, you're looking at 2 layers of NAT between your internal network and the internet, so you can run into VPN issues if you use IPSEC VPNs.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: TMG behind Cisco ASA

        I wouldnt remove the ASA just cause you have TMG especially for vpn termination. I prefer hardware devices to terminate my vpn's. The ASA also gives you not only L2L vpn's but also SSL (Clientless and Client Based) and remote access vpn's. If its any recent version of code on the ASA (8.0 and later) nat is not mandatory so you dont have to nat anymore if you dont need to (no nat-control). If its 8.3 and above nat-control is gone completely. I do see Cruachan's point though. Does the outside interface of the TMG server require a public address and a nat translation? I have never worked with one. Is there no way to just bridge the traffic between the TMG interfaces?
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: TMG behind Cisco ASA

          TMG can only have a NAT relationship between the internal and external interfaces, perimeter networks can be routed to internal but it is always NAT from any interface to external.

          TMG supports PPTP, L2TP and SSTP VPNs BTW, and uses RRAS so integrates with AD. No extra software or credentials required.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: TMG behind Cisco ASA

            Originally posted by cruachan View Post
            Completely pointless IMO, if you have spent the money on TMG bin the ASA. The only valid scenario for using 2 devices like this IME is using TMG as a single-NIC reverse proxy, and that is a waste to TMG given how expensive it is.

            Aside from that, you're looking at 2 layers of NAT between your internal network and the internet, so you can run into VPN issues if you use IPSEC VPNs.
            Well that's like saying I have a new front door now so I'll get rid of the gate..
            there is nothing wrong with having the TMG as a back firewall box whilst doing forward or reverse proxying as well. The ASA box can handle VPNs, Natting as well as being a solid hardware firewall.
            As I said, whilst TMG is a more than capable of handling those on its own, why not use the ASA if It's there?
            There are No two layers of Natting just two different rules..
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: TMG behind Cisco ASA

              Well, it is always an interesting discussion. But a "hardware" firewall is IHMO just bullshit. Every system, either an ASA, Check Point or a TMG relies on a operating system, a CPU and some form of memory. Cisco delivers specific asics for certain processes and a Check Point with Nokia delivers the fastest firewalls. Yet it's still the software who's handling the rules and such.
              Besides that, TMG can handle almost everything a ASA can do including L2L (Cisco term for Lan to Lan, where Microsoft calls it Site to Site) etc.

              However, TMG can be perfectly used behind or in front of an ASA. For some examples, please review the link below.
              http://microsoftguru.com.au/2010/06/...by-step-guide/
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: TMG behind Cisco ASA

                Thank you experts for your replies.
                Well I in my scenario I want to deploy TMG only as proxy for the internal users but with the Back to Back Topology.
                VPN will still be on Cisco ASA. My concerns are include:
                a. Do I have configure a NAT on ASA for external IP of TMG only?
                b. What static routes I had to configure on ASA
                c. How will be the DNS configuration on TMG interfaces ?
                d. I dont want my DNS to pass through the ASA directly.

                Please help me to resolve the above queries.

                Samir

                Comment


                • #9
                  Re: TMG behind Cisco ASA

                  a) Just a static NAT roule to TMG external interface
                  b) I don't believe you need to worry about that
                  c) Just configure DNS on the internal interface of TMG and let the DNS queries go through your Internal DNS servers.
                  d) previous point answers this query.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: TMG behind Cisco ASA

                    Hello,
                    Do you I have to a create rule for internal DNS Server on TMG ?

                    Samir.

                    Comment


                    • #11
                      Re: TMG behind Cisco ASA

                      Furthermore, I dont want allow internal DNS request passing through Cisco ASA.

                      Samir

                      Comment


                      • #12
                        Re: TMG behind Cisco ASA

                        Originally posted by samir381988 View Post
                        Hello,
                        Do you I have to a create rule for internal DNS Server on TMG ?

                        Samir.
                        No, providing you have configured properly the internal and External networks and the corresponding network adaptors. just configure the Internal adaptor with the DNS settings.

                        Originally posted by samir381988 View Post
                        Furthermore, I dont want allow internal DNS request passing through Cisco ASA.

                        Samir
                        If you do the above all the DNS traffic will go through the internal DNS (Which will eventually go through the ASA box but that's how it already should be configured anyway so it'll use the existing rules.)
                        Caesar's cipher - 3

                        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                        SFX JNRS FC U6 MNGR

                        Comment


                        • #13
                          Re: TMG behind Cisco ASA

                          Thank you all for the generous replies and for the support. I'll give a try. I really appreciate the help.

                          Samir.

                          Comment


                          • #14
                            Re: TMG behind Cisco ASA

                            Originally posted by L4ndy View Post
                            Well that's like saying I have a new front door now so I'll get rid of the gate..
                            there is nothing wrong with having the TMG as a back firewall box whilst doing forward or reverse proxying as well. The ASA box can handle VPNs, Natting as well as being a solid hardware firewall.
                            As I said, whilst TMG is a more than capable of handling those on its own, why not use the ASA if It's there?
                            There are No two layers of Natting just two different rules..
                            Not saying there's anything wrong with it, just that I wouldn't do it as it adds an unneccessary extra layer of complexity. I can see no benefit to terminating VPNs on the ASA, as they are still external to the TMG at that point.

                            If it wasn't for the fact that the OP already has both products, I would have said don't buy TMG anymore given that it's been canned.
                            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                            sigpic
                            Cruachan's Blog

                            Comment

                            Working...
                            X