Configuring One-to-One NAT with TMG 2010

Introduction
With the release of Microsoft Forefront Threat Management Gateway (TMG) 2010, advanced capabilities such as URL filtering, malware protection, the Network Inspection System (NIS), HTTPS inspection, and ISP redundancy seem to get most of the attention. Under the hood there are lots of other improvements however, and among the most important and helpful of those, in my opinion, is Enhanced NAT (E-NAT).

Configuring One-to-One NAT

E-NAT allows you to create many-to-one and one-to-one IP address translations, as many firewalls (Cisco, Checkpoint, etc.) have done for years. Configuring one-to-one NAT in TMG is somewhat ambiguous, however. If you are familiar with Cisco and Checkpoint firewalls, you probably expect to see a NAT rule tab when you open the TMG management console and select the Networking node in the navigation tree. It isnt there, unfortunately. In TMG, you create a one-to-one NAT rule by creating a new Network Rule. Lets say, for example, you wanted to translate all traffic coming from a particular internal host to a specific IP address assigned to the TMG firewalls external network interface (not simply the default IP address for the interface). To accomplish this, open the TMG management console and highlight the Networking node in the navigation tree. Select the Network Rules tab in the center console window, then click Create a Network Rule in the Tasks pane. Give the new network rule a descriptive name and choose Next.

Figure 1

Specify the source of the traffic you wish to translate. In this example I have chosen a specific individual server. However, you have the option of selecting networks, network sets, computer sets, address ranges, and subnets as well. This provides maximum flexibility when establishing NAT relationships in TMG.

Figure 2 Specify the destination for which this NAT rule will apply. In this example I have chosen the External network, as I want to translate any outbound traffic from the server using this rule. Here you have the option of selecting networks, network sets, computer sets, address ranges, and subnets as well. Again, this allows granular control for address translation.

Figure 3

Select the Network Address Translation (NAT) option.

Figure 4 Select the Use the specified IP address option and select an IP address from the available list. Note: These IP addresses must be assigned to the network interface prior to creating this network rule, otherwise they will not appear in this list.

Figure 5

You also have the option to select the Use multiple IP addresses option which allows you to choose more than one IP address to use for this network rule. This is useful for enterprise arrays when NLB is not enabled.

Figure 6

Figure 7

It is important to understand that network rules, like firewall policy rules, are processed in order. For proper operation, more specific rules must be placed before less specific rules. In our example, the more specific rule defining a NAT relationship between a particular host and the External network must be placed before the general rule defining a NAT relationship between the entire Internal network (which the host is a member of) and the External network. After the wizard completes and before applying the configuration, make sure that this new network rule is listed before the general Internet Access network rule.

Figure 8 Once configured, any traffic originating from the host mail.celestix.net that is destined for the External network will match rule #3, in which the network relationship is defined as NAT and the NAT address is explicitly defined as 10.0.0.2 in our example.

E-NAT and ISP Redundancy

When configuring E-NAT on a TMG firewall that is configured to use ISP redundancy (ISP-R), address translation may not work as expected. When configured, E-NAT rules will take precedence and override any routing decisions made by ISP-R. Be sure to plan carefully when implementing both of these technologies.

Summary
Static many-to-one and one-to-one NAT is a feature that veteran ISA firewall administrators have been requesting for years. Finally, TMG now includes this capability. E-NAT allows fine-grained control over IP address translation, which is especially helpful when configuring the TMG firewall as a back firewall to a front firewall that includes ACLs for egress filtering.