can not connect/ping to any computer that has TMG 2010 as its default gateway across VPN(LAN)

Hi all,

basically, im on the 192.168.102.0/24 range which is part of our vpn network
im trying to ping/rdp to a computer that is on the 192.168.101.0/24 network

the TMG 2010 server is on 192.168.101.10 i can ping/connect to that server and any machine that doesnt have 192.168.101.10 as its default gateway

any machine that has 192.168.101.10 as its default gateway cant be reached
on the TMG server RRAS ive added static routes for all my internal networks
so the TMG server can ping all my internal ranges fine

i think its got to be something to do with the default gateway

TMG's external card is on 192.168.200.1 so all traffic goes out of 192.168.200.1
the static routes work fine i can now verfiy

im rdp'd to a machine that does not have its DG as 192.168.101.10 and then from that machine ive rdp'd to a machine that does have its gateway as 101.10 and from there i can ping 192.168.102.1 fine

so its not routing, ive also created a rdp policy and a ping polcicy to allow it for all networks and ive added all the interal ranges to TMG

can anyone shed any light? im baffled!
thanks
LVL 1
awilderbeastAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bruno PACIIT ConsultantCommented:
Hi,

ISA/TMG server will NEVER let pass a IP answer packet to a IP query that did not already pass through ISA/TMG server... Let me explain what I suppose happens for you :

From a computer C1 that is on a subnet A you ping a computer C2 that is on subnet 2... computer C1 uses a default gateway G1 that is not the TMG server... computer C2 uses the TMG server as the default gateway...

From computer C1 you make a PING C2.
An ICMP query packet goes out from C1 and is given to the default gateway G2. As G2 is a simple routeur it transmits the ICMP query to the subnet B and the packet reaches computer C2.
Computer C2 then replies with a ICMP response. AS TMG is the default gateway this packet is sent to TMG.

TMG receives an ICMP response that doesn't match with any ICMP session that TMG knows... Because the ICMP query never pass through TMG. TMG is not a routeur, it is a firewall ! That means that it will verify any packet that is given to it and its job is to drop any unknwon packet. In your case the packet is unknown because TMG can not understand to receive an ICMP answer without any ICMP query before.

that explains why C1 never receives the ICMP answer to the PING command.


Now, why does it works from C2 pinging C1 !? Explanation:

C2 sends an ICMP query to C1 via the default gateway TMG.
If there is a rule in TMG that allow ICMP between subnet 2 and subnet 1 then TMG let the ICMP packet go through... TMG also memorize that an ICMP dialog has been initiated and expect to see an answer coming back in the following seconds.
Anyway, the ICMP query reaches C1 that answers with an ICMP response. This ICMP response is sent to C2 via G1 gateway.
As G1 is a simple "stupid" routeur it's job is to pass network packets from one subnet to the other without looking at what these packets are for.
So... G1 makes its job and transmit the ICMP answer packt to subnet 2 to C2 computer..

C2 computer receives the ICMP answer and then display "Successfully pinging C1... echo reply".

Meanwhile... TMG expect the ICMP answer to come back and is ready to let this asnwer pass as TMG knows that an ICMP query as been initiated. Unforntunatly, the ICMP answer will not come back through TMG because C1 is configured to use another gateway...
The poor TMG server waits and waits for a while (around 30 seconds) and finally suppose that the ICMP target is dead or any... anyway, TMG will the decide to stop waiting, will erase the ICMP dialog for its memory and will probably write something in its log saying "Session closed (timeout)".


The morality is that, if you want things to work well with TMG you must ensure that your IP configuration on client computers is "normal" and that is query packets have to pass through TMG then the IP route back must also pass through TMG...


Have a good day.

0
awilderbeastAuthor Commented:
ok i follow you now

how can i get round it?

create routes on my router so that all traffic destined for the 101.0/24 network goes to the external interface of the TMG server 200.1, if i did that would the TMG server know what to do with the traffic?

THanks
0
Bruno PACIIT ConsultantCommented:
Hi,

Well, the best way is to not put the TMG as the default gateway on your client computers. Make them use your usual router (let's call it ROUTER1) that links subnets 192.168.101.0 and 102.0...

The route to go to 192.168.200.0 (what is behind your TMG if I understood well) via TMG should be added in the IP route table of your router ROUTEUR1.
So... All client computer that need to reach a subnet that is not its own subnet will send IP packets to IP routeur ROUTEUR1.
ROUTEUR1 will use it's route table to transmit the packet: if the packet is for 192.168.102.0 then ROUTEUR1 delivers it on its 192.168.102.x interface, if the packet is for 192.168.200.0 the ROUTEUR1 transmit it to the next routeur that is TMG 192.168.101.10. TMG will then make its job with this packet...

You have to make things the simpliest so that your usual IP routeur is the central point for any trans-subnet packet. Doing like that you ensure that TMG will only be involved in internal-external traffic and not in internal-internal traffic.

Have a good day.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

awilderbeastAuthor Commented:
ok  i get that now thanks

what do you suggest as a solution? alter my routers routing table?

send all packets destined for the 192.168.101.0/24 network to tmgs internal interface and then tmg wil know what to do with the rest?

THanks
0
Bruno PACIIT ConsultantCommented:
Hi,

In my opinion, the best way if to alter your routing table.
If you want to pass through TMG for all network traffic between 192.168.101.0 and 192.168.102.0 you'll have to create so much rules to allow normal traffic between these subnets that you will probably give up and create a unique rule allowing ALL traffic between these subnets... And then what is the intesrets to have a firewall on the way if it allows all traffic ?

If I have understand well these 2 subnets (192.169.101.0 and 192.168.102.0) al internal networks !? Do you really want to restrict network traffic between them ? If not, avoid to have the firewall in the middle of the path, instead go through your routeur.

You'll pass through your firewall only for traffics going to 192.168.200.0 subnet and others. For that you have two options:
1) configure a static route on all your computers so that traffic to 192.168.200.0 is transmit to the TMG server.
2) don't touch IP routes on computers but instead add the IP route to your routeur, which is the default gateway fol all your computers.

Have a good day.
0
awilderbeastAuthor Commented:
i cant think how to avoid having the firewall in between the 2

my network goes as per screen shot

layout.jpg
0
Bruno PACIIT ConsultantCommented:
Hi,

ok... to be sure of what we are talking about, I modified your schema addind numbers to routers

By the way, are you sure of the IP address 192.168.100.254 on ROUTER 1 ??? Isn't it 192.168.101.254 !??


layout.jpg
0
Bruno PACIIT ConsultantCommented:
So... I'm now supposing your schema had an error and the IP address on ROUTER 1 in 192.168.101.254 instead of 192.168.100.254.

The location of the TMG server in your network is not really clear... What exactly do you want to use TMG for ??? Do you want to use it to manage traffic going to Internet only ? And in this case what sort of protocols do you want to manage ? Web only (http, http, ftp) ? Any other ?

If you want to use TMG to manage all outgoing traffic from your internal subnets 192.168.101.0 and 192.168.102.0 then why is there an direct Internet connection on ROUTER 2 ?

If you want your TMG to be a Web Proxy server only then the best solution is to remove one NIC and leave only ONE NIC on TMG. For Web traffic to pass through TMG you'll then have to declare its IP address as the proxy in Internet Explorer configuration on your client computers.

If you want TMG to manage any traffic going to Internet then its location is bad: you can not force traffic from 192.168.102.0 outgoing to Internet to pass through TMG because ROUTER 2 has a network interface directly connected to Internet and then will route outgoing traffic via this interface.

If you want TMG to manage traffic going to Internet from 192.168.101.0 only then the best location is between ROUTER1 and Internet.

If this location is not possible because you can not change anything on ROUTER1, or if you don't want to change location of TMG, the only solution to make the whole thing work is to make a specific IP route configuration on client computers of subnet 192.168.101.0 by doing this:
1) Declare the IP of TMG (192.168.101.10) as the default gateway in the TCP/IP configuration of each client computer in subnet 192.168.101.0
2) Add the following static IP route on each client computer of subnet 192.168.101.0 using this command: ROUTE ADD 192.168.102.0 MASK 255.255.255.0 192.168.101.254 /P

Configured like that, client computers of subnet 192.168.101.0 will send all IP packets for 192.168.102.0 to ROUTER 1 that will transmit them to ROUTER2 to reach the destination. TMG will not be involved in dialogs between 192.168.101.0 and 192.168.102.0.
To reach any other subnet than 192.168.101.0 and 192.168.102.0, client computers will send IP packet to TMG (as it is their defauly gateway). TMG will manage the packets and will block or allow them depending of its firewall rules. Of course, TMG must be configured so that its default gateway is ROUTER 1 (192.168.200.254).

Have a good day



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.