none
Cisco PIX and TMG 2010 configuration similarities

    Question

  • Hello,

    I am new to TMG and hope you don't mind the newbie questions.

    I am trying to replace the Cisco PIX 525 with TMG 2010. I am trying to find out how to match configuration on the PIX to the TMG 2010 with the following scenarios:

    - On the PIX, I created an access rule to allow a certain external IP to static route to an internal IP. The same goes for allowing ports (such as RDP) from external into internal. This is NAT.

    - On the PIX, I allowed only a certain IP (from anywhere in the world) to access an external IP, which in turn route to an internal IP.

    I can't find anywhere in TMG 2010 how to perform this simple task. Please advise. Thank you in advance for your help.

    Monday, July 12, 2010 1:46 PM

Answers

All replies

  • Hello,

    I am new to TMG and hope you don't mind the newbie questions.

    I am trying to replace the Cisco PIX 525 with TMG 2010. I am trying to find out how to match configuration on the PIX to the TMG 2010 with the following scenarios:

    - On the PIX, I created an access rule to allow a certain external IP to static route to an internal IP. The same goes for allowing ports (such as RDP) from external into internal. This is NAT.

    Did you try to reproduce your needs on the Networking node => Network Rules tab to manage your NAT entries ?
    Monday, July 12, 2010 2:57 PM
  • Both of those things are really the same thing,...done the same way.  The only difference between those two things was that one allowed any Source while the other only allow one Source.
     
    You create a Server Publishing Rule,...more specifically it is called a Non-Web Server Publishing Rule.  The FROM: in the Rule use External to mean "anywhere in the world",...to limit to a single IP# create a Computer Object and use it in place of External in the Rule
     
    This is a Reverse NAT function.
     
    The PIX was doing the same,...it was a Reverse NAT function.   You were not "static" routing anything anywhere with the PIX,...you were Reverse NATing.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
     
     
     
      "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:17c3edab-8544-4353-a2d1-491c4a7e06d6...

    Hello,

    I am new to TMG and hope you don't mind the newbie questions.

    I am trying to replace the Cisco PIX 525 with TMG 2010. I am trying to find out how to match configuration on the PIX to the TMG 2010 with the following scenarios:

    - On the PIX, I created an access rule to allow a certain external IP to static route to an internal IP. The same goes for allowing ports (such as RDP) from external into internal. This is NAT.

    - On the PIX, I allowed only a certain IP (from anywhere in the world) to access an external IP, which in turn route to an internal IP.

    I can't find anywhere in TMG 2010 how to perform this simple task. Please advise. Thank you in advance for your help.

    Monday, July 12, 2010 3:26 PM
  • The problem I see with this is that with "Server Publishing" you are limited to a single protocol per rule. Are you saying that with the PIX you were allowing "All Traffic" from a single IP address to another single IP address and it was being NATted?

     

    Monday, July 12, 2010 4:48 PM
  • Both of those things are really the same thing,...done the same way.  The only difference between those two things was that one allowed any Source while the other only allow one Source.
     
    You create a Server Publishing Rule,...more specifically it is called a Non-Web Server Publishing Rule.  The FROM: in the Rule use External to mean "anywhere in the world",...to limit to a single IP# create a Computer Object and use it in place of External in the Rule
     
    This is a Reverse NAT function.
     
    The PIX was doing the same,...it was a Reverse NAT function.   You were not "static" routing anything anywhere with the PIX,...you were Reverse NATing.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
     
     
     
      "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:17c3edab-8544-4353-a2d1-491c4a7e06d6 ...

    Hello,

    I am new to TMG and hope you don't mind the newbie questions.

    I am trying to replace the Cisco PIX 525 with TMG 2010. I am trying to find out how to match configuration on the PIX to the TMG 2010 with the following scenarios:

    - On the PIX, I created an access rule to allow a certain external IP to static route to an internal IP. The same goes for allowing ports (such as RDP) from external into internal. This is NAT.

    - On the PIX, I allowed only a certain IP (from anywhere in the world) to access an external IP, which in turn route to an internal IP.

    I can't find anywhere in TMG 2010 how to perform this simple task. Please advise. Thank you in advance for your help.


    Hi Phillip,

     

    Thanks very much for your reply!

     

    Hi Phillip,

    Thanks very much for the quick answer!

    As instructed, I used the "Publish Non-Web Server Protocols" option. It works with the default "From" traffic as "Anywhere".

    I don't see an option to create a "Computer Object". Below are the options:

    + Network
    + Network Sets
       Computers
    + Computer Sets
    + Address Ranges
       Subnets

    The address range only display IPV6. I am trying to allow an IPV4 address. The "Computers" and "Subnets" options are inaccessible.

    I just want to accomplish one simple task of allowing a remote IPv4 address. Could you please advise how I could accomplish this? Thank you very much for your help.

    Tuesday, July 13, 2010 11:58 AM
  • The problem I see with this is that with "Server Publishing" you are limited to a single protocol per rule. Are you saying that with the PIX you were allowing "All Traffic" from a single IP address to another single IP address and it was being NATted?

     


    Hi Tom,

     

    Yes, that is correct.

    Tuesday, July 13, 2010 11:58 AM
  • Hello,

    I am new to TMG and hope you don't mind the newbie questions.

    I am trying to replace the Cisco PIX 525 with TMG 2010. I am trying to find out how to match configuration on the PIX to the TMG 2010 with the following scenarios:

    - On the PIX, I created an access rule to allow a certain external IP to static route to an internal IP. The same goes for allowing ports (such as RDP) from external into internal. This is NAT.

    Did you try to reproduce your needs on the Networking node => Network Rules tab to manage your NAT entries ?


    Hi Lionel,

     

    Thanks. I just now looked into that. Which would be the preferred method to use? Networking mode => Network Rules or a Non-Web Server Publishing Rule?

    Tuesday, July 13, 2010 12:08 PM
  • Those are all "objects".
    Choose "Computer"
     
    I have never used IPV6,...probably be retired or dead by the time I am forced to.
     
    IPV4 and IPV6 have to be enabled,...maybe you only have IPV6 enabled.  You could also use an Address Range,...having the start and end addrerss be the same number is valid,...it just means it is a range of "one" address.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:abc90dc0-c179-454d-9fd5-b8ee512281b1...
    I don't see an option to create a "Computer Object". Below are the options:

    + Network
    + Network Sets
       Computers
    + Computer Sets
    + Address Ranges
       Subnets

    The address range only display IPV6. I am trying to allow an IPV4 address. The "Computers" and "Subnets" options are inaccessible.

    I just want to accomplish one simple task of allowing a remote IPv4 address. Could you please advise how I could accomplish this? Thank you very much for your help.

    Tuesday, July 13, 2010 10:10 PM
  • There is no such thing as a "NAT Entry"
     
    ISA/TMG will never do a 1-to-1 NAT
    ISA/TMG will never do a Layer3-only Reverse NAT (meaning "all" protocols).  The protocol (Layer4) must always be specified explicitly.
     
    Changing the Network Relationship from "NAT" to "Routed" between the Internal and External can only be done when when there is a Back-to-Back DMZ between the ISA/TMG and another "outer" Firewall.  This is because something must be NATing or Proxying between the LAN and public Internet and the "outer" firewall would be doing that.  I am assuming of course that no one is actually using Public Internet IP#s on their LAN and I don't even consider IPV6 to be part of the discussion.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:c60c932e-58a1-4057-b0e5-987dbea8a50d...
    Did you try to reproduce your needs on the Networking node => Network Rules tab to manage your NAT entries ?
    Tuesday, July 13, 2010 10:19 PM
  • Those are all "objects".
    Choose "Computer"
     
    I have never used IPV6,...probably be retired or dead by the time I am forced to.
     
    IPV4 and IPV6 have to be enabled,...maybe you only have IPV6 enabled.  You could also use an Address Range,...having the start and end addrerss be the same number is valid,...it just means it is a range of "one" address.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:abc90dc0-c179-454d-9fd5-b8ee512281b1 ...
    I don't see an option to create a "Computer Object". Below are the options:

    + Network
    + Network Sets
       Computers
    + Computer Sets
    + Address Ranges
       Subnets

    The address range only display IPV6. I am trying to allow an IPV4 address. The "Computers" and "Subnets" options are inaccessible.

    I just want to accomplish one simple task of allowing a remote IPv4 address. Could you please advise how I could accomplish this? Thank you very much for your help.

    Hi Phillip,

     

    Thanks. When I clicked on the "Computers", it doesn't let me do anything. The "Add" button is grayed out. The only other options is to close.

     

    When I clicked on "Address Ranges", it only show IPV6 as an option. How do I enable IPV4 for it? I am not using IPV6 on my network and the network property also has IPV6 disabled.

     

    Thanks in advance for your help.

    Thursday, July 15, 2010 10:42 AM
  • I have never ever heard of that being greyed out.  I have no idea what to tell you there.
     
    If you are not using IPV6 then get rid of it.  In the Properties of each "Network connection"  (in the OS,..not  TMG),...remove any IPV6 address settings uncheck the box next to the IPV6 and only have the IPV4 checked. Repeat on all Connections.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:96af1ac2-9063-4c57-abcc-5c6c02354757...
    Thanks. When I clicked on the "Computers", it doesn't let me do anything. The "Add" button is grayed out. The only other options is to close.

     

    When I clicked on "Address Ranges", it only show IPV6 as an option. How do I enable IPV4 for it? I am not using IPV6 on my network and the network property also has IPV6 disabled.

     

    Thanks in advance for your help.

    Thursday, July 15, 2010 1:14 PM
  • I have never ever heard of that being greyed out.  I have no idea what to tell you there.
     
    If you are not using IPV6 then get rid of it.  In the Properties of each "Network connection"  (in the OS,..not  TMG),...remove any IPV6 address settings uncheck the box next to the IPV6 and only have the IPV4 checked. Repeat on all Connections.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:96af1ac2-9063-4c57-abcc-5c6c02354757...
    Thanks. When I clicked on the "Computers", it doesn't let me do anything. The "Add" button is grayed out. The only other options is to close.

     

    When I clicked on "Address Ranges", it only show IPV6 as an option. How do I enable IPV4 for it? I am not using IPV6 on my network and the network property also has IPV6 disabled.

     

    Thanks in advance for your help.


    @Phil - I believe that disabling IPv6 will impact TMG VPN functionality: http://social.technet.microsoft.com/Forums/en/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 15, 2010 3:35 PM
  • Lovely...

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "Jason Jones [Silversands]" <=?utf-8?B?SmFzb24gSm9uZXMgW1NpbHZlcnNhbmRzXQ==?=> wrote in message news:2aee29d1-02bf-488c-a178-38762d59abe9...

    @Phil - I believe that disabling IPv6 will impact TMG VPN functionality: http://social.technet.microsoft.com/Forums/en/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 15, 2010 8:13 PM
  • I have never ever heard of that being greyed out.  I have no idea what to tell you there.
     
    If you are not using IPV6 then get rid of it.  In the Properties of each "Network connection"  (in the OS,..not  TMG),...remove any IPV6 address settings uncheck the box next to the IPV6 and only have the IPV4 checked. Repeat on all Connections.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:96af1ac2-9063-4c57-abcc-5c6c02354757 ...
    Thanks. When I clicked on the "Computers", it doesn't let me do anything. The "Add" button is grayed out. The only other options is to close.

     

    When I clicked on "Address Ranges", it only show IPV6 as an option. How do I enable IPV4 for it? I am not using IPV6 on my network and the network property also has IPV6 disabled.

     

    Thanks in advance for your help.


    @Phil - I believe that disabling IPv6 will impact TMG VPN functionality: http://social.technet.microsoft.com/Forums/en/ForefrontedgeVPN/thread/d033a9d1-aff6-4098-a002-e5e15ee1834c

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Hi Jason,

     

    So we have to install the hotfix, and also enable IPv6? I thought the hotfix should correct the issue.

    Friday, July 16, 2010 4:02 PM
  • I have never ever heard of that being greyed out.  I have no idea what to tell you there.
     
    If you are not using IPV6 then get rid of it.  In the Properties of each "Network connection"  (in the OS,..not  TMG),...remove any IPV6 address settings uncheck the box next to the IPV6 and only have the IPV4 checked. Repeat on all Connections.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:96af1ac2-9063-4c57-abcc-5c6c02354757 ...
    Thanks. When I clicked on the "Computers", it doesn't let me do anything. The "Add" button is grayed out. The only other options is to close.

     

    When I clicked on "Address Ranges", it only show IPV6 as an option. How do I enable IPV4 for it? I am not using IPV6 on my network and the network property also has IPV6 disabled.

     

    Thanks in advance for your help.


    Hi Phillip,

     

    This is my mistake. I was somewhat blinded and didn't see the tiny option on the top left of the "Add" function. Within that section, I could add new objects, range, etc. This is fantastic. Thanks again for your help!

    Friday, July 16, 2010 4:04 PM
  • Oh.., ok, very good  :-)
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "gocrm" <=?utf-8?B?Z29jcm0=?=> wrote in message news:0e6957a3-0276-402c-acce-acc328a804df...
    Hi Phillip,

     

    This is my mistake. I was somewhat blinded and didn't see the tiny option on the top left of the "Add" function. Within that section, I could add new objects, range, etc. This is fantastic. Thanks again for your help!

    Friday, July 16, 2010 6:30 PM