Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5226
Views
0
Helpful
7
Replies

Cisco ASA 5520 with Windows UAG Direct Access in DMZ

DJITS2009
Level 1
Level 1

‎12-17-2010 02:18 AM - edited ‎03-11-2019 12:23 PM

Hi,

I'm trying to set up Windows Server UAG for Direct Access in a Testlab. The UAG Server has two network nics. One in my Testdomain (internal) and the other one in a DMZ of our Cisco ASA (external).

Our ASA dmz has subnet 192.168.3.x but UAG Direct Access needs public ip adresses.

Is there documentation how to configure an ASA 5520 Firewall so i can use my Windows UAG Server with Direct Access?

Thanx for helping me out.

DJITS.

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-17-2010 02:55 AM

Assuming that you have an outside interface on your ASA and that outside interface has public ip address? Do you have a spare public ip address so you can assign that to NAT the Windows UAG Direct Access private IP in your DMZ?

Can you share your ASA configuration so we can better understand your topology. Thanks.

0 Helpful

DJITS2009
Level 1
Level 1
In response to Jennifer Halim

‎12-17-2010 03:06 AM

Hi Jennifer,

Thanx for helping me out.

Yes our ASA has an outside interface with a public ip address range so we have more than enough public ip adresses. For Direct Access to work I need two consecutive ip adresses configured on my external UAG server adapter that is connected to one of our ASA dmz's.

Our ASA Firewall has an outside interface, inside interface and three dmz's. Our UAG Server is connected to one of the DMZ's so it uses an internal ip adress of 192.168.3.x. According to what i read Direct Access can't use NAT. The public ip adresses need to be transported through the ASA firewall somehow. I have no idea how to set this up but i can't imagine that we have such a specific configuration wish.

I hope somobody set this up before and can help me out.

Greetings,

DJITS.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to DJITS2009

‎12-17-2010 03:10 AM

Not quite sure how it will be transported if the Windows UAG Direct Access interface itself is not assigned public ip address, and if it can't be NATed, there aren't anything within the ASA that can somehow transport a public ip address to a private ip address without using NAT.

0 Helpful

DJITS2009
Level 1
Level 1
In response to Jennifer Halim

‎12-17-2010 03:22 AM

Hi Jennifer,

I do need to use public ip adresses on the Windows UAG Server.

I need to assign two public ip adresses to the Windows UAG Server on the external interface of that Windows UAG server that is connected to the ASA Firewall. Connected to one of the DMZ's. I just don't know how to configure the ASA firewall so that there can be communications over those two ip adresses through the ASA firewall. I don't want to put the Windows UAG Server directly on the internet.

I hope you understand my situation a bit better now.

Greetings,

DJITS.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to DJITS2009

‎12-17-2010 03:29 AM

I don't know how you are going to assign public ip address to your Windows UAG Direct Access while you are actually connecting to the DMZ that is in private subnet?

Unless you are actually routing it via the DMZ interface of the ASA, you can't connect server on a public ip address to the ASA which is in completely different subnet. They need to be in the same subnet to communicate.

Unless you are connecting the Windows UAG Direct Access to a L3 switch or a router, and route the traffic to the ASA DMZ interface, that would work. But any interfaces that you connect between 2 devices need to be in the same subnet.

So if you have L3 switch or router in between, it would be as follows:

I am just using 100.5.5.x public subnet range as an example:

Windows UAG Direct Access (100.5.5.1) -- (100.5.5.2) Router (192.168.3.2) - (192.168.3.1, DMZ) ASA (outside) -- Internet

0 Helpful

joel.salminen
Level 1
Level 1

‎04-05-2011 10:09 PM

In short you have to bypass the ASA in order to satisfy the UAG requirements.

What you need, if you don't have one in place, is a network switch or hub that sits between the Internet router and the ASA. You will connect the external interface of your UAG server to a port in this switch. You will then be able to directly use public IP addresses on that interface.

Lastly, you will connect an interface from your UAG server to your internal network switches. You will use a private IP address of your LAN for this interface.

Now if you don't completely trust the UAG on the public Internet, you can apply an ACL on your Internet router interface to filter traffic. Of course, don't forget to leave the ACL open otherwise you'll filter everything.

0 Helpful

jaydee
Level 1
Level 1
In response to joel.salminen

‎07-02-2011 08:09 PM

if you want to put the external interface of the UAG on a DMZ segment of your ASA you can use nat 0. you can give your UAG server a public IP and have the ASA pass this traffic without NAT

you dont have to bypass the ASA at all. Its a simple question of NAT bypass.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card