03-30-2011 08:53 AM - last edited on 03-25-2019 05:46 PM by ciscomoderator
Hi all,
Got a bit of a conundrum i wanted to share, we are trying to achieve the following:
Branch Office (all traffic) -----> (vpn) -----> (Head Office ASA - DMZ interface) -----> (Head Office TMG) -----> (Head Office ASA - Outside Interface)
So all traffic from a branch office should be sent over a vpn to the headoffice then forwarded to The TMG (Microsoft forefront) which provides logging, filtering and policy application. If the traffic conforms to policy it will be routed via the ASA towads the internet.
So far the thoughts are:
Hairpin routing isn't applicable as we went to send the traffic to the TMG.
We can't set a default route to forward all traffic to the TMG as this would break everything.
Multiple context not possible as no VPN support.
There is no policy based routing on the asa so we can't direct traffic coming from vpn to the TMG.
We have applied PBR on the site router to set the next-hop recursive field on the packet to the TMG IP, but the traffic is not being forwarded via the VPN.
I've snipped out the VPN config below;
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key <site psk> address <HO IP>
crypto ipsec transform-set MySet esp-aes 256 esp-sha-hmac
crypto map l2l-vpn 1 ipsec-isakmp
set peer <HO IP>
set transform-set MySet
match address l2l_list
interface Vlan10
ip address 10.70.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map filtered_traffic
ip access-list extended NAT
deny ip 10.70.5.0 0.0.0.255 <Server IP Range>
deny ip 10.70.5.0 0.0.0.255 <DMZ IP Range>
permit ip 10.70.5.0 0.0.0.255 any
ip access-list extended l2l_list
03-31-2011 04:16 AM
Sorry, a little bit confused on the topology.
Which interface of the ASA do you terminate the VPN on? I believe the VPN is terminated on the outside interface of the ASA which is where the Internet is routed? is that correct? however you would like to push all the VPN traffic towards the TMG which is connected to ASA DMZ interface?
If that is the case, you can configure tunnel default gateway to send all traffic from the VPN tunnel towards the TMG server.
Here is the command for your reference:
route dmz 0.0.0.0 0.0.0.0
That will force all traffic from VPN tunnel towards TMG server.
But the question is would the traffic towards the Internet then be initiated from the TMG server itself after being inspected? or the source of the traffic will still be the actual branch office LAN IP?
03-31-2011 04:42 AM
Hi Thanks for your reply,
I've attached a diagram of what we are trying to achieve, I came accross the concept of tunneled routes in the ASA cli config documentation, but didn't realise that they were specifically related to VPN traffic.
The TMG acts as a transparent proxy, so traffic will be routed to the TMG interface on the DMZ network and if allowed will routed from the TMG on a different interface to the ASA to be routed out onto the web.
Would it be better to move the remote offices onto a dedicated interface? The DMZ is also used by web servers, and their traffic does not need to be inspected by the TMG.
04-01-2011 02:32 PM
Great, thanks for the diagram, that helps.
So after it has been inspected by the TMG, what would be the source of the web traffic towards the internet? Would it be sourced from the TMG or it would just be sourced from the remote office LAN itself?
Also, how would the return traffic from the internet works? is it supposed to be routed back towards the TMG, or it will go directly back to the remote office LAN?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: