Configuring One-to-One NAT with TMG 2010

Posted: February 5, 2011 in Analysis

With the release of Microsoft Forefront Threat Management Gateway (TMG) 2010, advanced capabilities such as URL filtering, malware protection, the Network Inspection System (NIS), HTTPS inspection, and ISP redundancy seem to get most of the attention. Under the hood there are lots of other improvements however, and among the most important and helpful of those, in my opinion, is Enhanced NAT (E-NAT).

E-NAT allows you to create many-to-one and one-to-one IP address translations, as many firewalls (Cisco, Checkpoint, etc.) have done for years. Configuring one-to-one NAT in TMG is somewhat ambiguous, however. If you are familiar with Cisco and Checkpoint firewalls, you probably expect to see a NAT rule tab when you open the TMG management console and select the Networking node in the navigation tree. It isn’t there, unfortunately.

In TMG, you create a one-to-one NAT rule by creating a new Network Rule. Let’s say, for example, you wanted to translate all traffic coming from a particular internal host to a specific IP address assigned to the TMG firewall’s external network interface (not simply the default IP address for the interface). To accomplish this, open the TMG management console and highlight the Networking node in the navigation tree. Select the Network Rules tab in the center console window, then click Create a Network Rule in the Tasks pane. Give the new network rule a descriptive name and choose Next.


Figure 1

Specify the source of the traffic you wish to translate. In this example I have chosen a specific individual server. However, you have the option of selecting networks, network sets, computer sets, address ranges, and subnets as well. This provides maximum flexibility when establishing NAT relationships in TMG.


Figure 2

Specify the destination for which this NAT rule will apply. In this example I have chosen the External network, as I want to translate any outbound traffic from the server using this rule. Here you have the option of selecting networks, network sets, computer sets, address ranges, and subnets as well. Again, this allows granular control for address translation.


Figure 3

Select the Network Address Translation (NAT) option.


Figure 4

Select the Use the specified IP address option and select an IP address from the available list.

Note:
These IP addresses must be assigned to the network interface prior to creating this network rule, otherwise they will not appear in this list.


Figure 5

You also have the option to select the Use multiple IP addresses option which allows you to choose more than one IP address to use for this network rule. This is useful for enterprise arrays when NLB is not enabled.


Figure 6


Figure 7

It is important to understand that network rules, like firewall policy rules, are processed in order. For proper operation, more specific rules must be placed before less specific rules. In our example, the more specific rule defining a NAT relationship between a particular host and the External network must be placed before the general rule defining a NAT relationship between the entire Internal network (which the host is a member of) and the External network. After the wizard completes and before applying the configuration, make sure that this new network rule is listed before the general Internet Access network rule.


Figure 8

Once configured, any traffic originating from the host mail.celestix.net that is destined for the External network will match rule #3, in which the network relationship is defined as NAT and the NAT address is explicitly defined as 10.0.0.2 in our example.

When configuring E-NAT on a TMG firewall that is configured to use ISP redundancy (ISP-R), address translation may not work as expected. When configured, E-NAT rules will take precedence and override any routing decisions made by ISP-R. Be sure to plan carefully when implementing both of these technologies.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s