Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall

Status
Not open for further replies.

TheFireman2

IS-IT--Management
Mar 2, 2017
1
GR

Hi everybody! Nice to find you all here! :)

So here is our issue. As we have a TMG 2010 in use as a proxy server, which is no loger supported, we wanted to replace it. So we have bought a Watchguard Firebox M200 in order ro do so.

Our current topology is the following. Our internal network (PCs and servers) connect to switches which all have a set gateway, which is a central switch. This central switch has a default route which points to an ASA 5515 with CX installed. The ASA routes all traffic to a cisco 2901 router which has multiple WANs. The TMG IP is set in the Internet options of all PCs and servers as a proxy (via GPO). In the network setting of the network adapters (in the TCP/IPv4 options) we have set as gateway the IP address of the central switch.

This is a simplified decription of the network, as there are other things in play, such a a DMZ on the ASA, a couple of site to site VPNs on the ASA and annyconect users connecting from outside. But let's leave these aside in order to make the scenario simpler.

What we had in mind was to go slow at first and only replace the TMG 2010 Proxy function for the internet access of our users with the Firebox M200. At the same time we want to continue using the ASA 5515 for all that we have setup on it (which is quite a few things, no point in going into these now). So we just want to get rid of the TMG 2010 at first. Maybe later we will completely replace the ASA with the Firebox, but this is just a future plan for now.

What we had in mind was that we would simply replace the IP address of the TMG with the IP address of the Firebox (the one set in the Internet options of all PCs and servers as a proxy via GPO) and that would do the trick.

It turns out that it isn't working this way, or at least we haven't managed to get this to work so. When we set the IP of the proxy as the Firebox IP, at first it was blocked by the Firebox as it was identified as traffic to the Firebox. After allowed this, it is still not working, as we get no relevant entries on the traffic monitor, but on the browser we get an error message "The proxy server isn’t responding".

If we set the Firebox IP as the gateway on a network adapter options in the TCP/IPv4 options of the PC, the internet access works just fine.

So we are now wondering. Is it possible to use the Firebox as a proxy like we used to do with the TMG (defined as a proxy in the internet options)?

If not what are the alternatives?

Please keep in mind that, at least for the servers, we need to keep the ASA in play, so we cannot change the default gateway (in the the TCP/IPv4 options of the network adapters on the servers), as they would not connect with the ASA anymore and nothing else would work.

Unless there is a way the pass all the traffic (except for the HTTP and HTTPS ports) through the Firebox and towards the ASA. The only thing that confuses us at the time is that both these are on the inside/trusted network and the Firebox seems to only let traffic come out from an external. Or have we got this wrong.

Many thanks in advance for any help you can give.
 
You can run the WG in bridge mode


But why? The M200 blows the ASA out of the water in terms of performance and ease of configuration.

Emulating the ASA config onto the WG really isnt that hard. Your port forwarding is done with SNAT rules, and there are no nasty NAT + ACLs to configure.

I really think if you got someone in who knew their stuff :)-)) then migrating will be a simple case of changing a patch lead, and no one would even notice.

ACSS - SME
General Geek
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top