• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1660
  • Last Modified:

Internal Routing Problem -- MS Forefront TMG & RRAS

I have the following topology:

SERVER1
10.99.99.10
------------
10.99.99.1
FOREFRONT TMG
192.168.0.18
------------
192.168.0.250
SERVER2003 RRAS
192.168.2.250
------------
192.168.2.12
USER-PC1

I need to get SERVER1 to ping USER-PC1 and vice versa
What routing rules do I need to implement on FOREFRONT TMG and SERVER2003 RRAS ?
Can you please be specific in any answer?  What steps would I take on each machine?

Finally, what firewall policies I must configure on FOREFRONT TMG to make this work?
Thanks!
0
CANI
Asked:
CANI
  • 3
1 Solution
 
bornskirCommented:
Make sure default routes are configured correctly on the USER-PC1 and SERVER1

Configure a static route on FOREFRONT TMG

192.168.2.0 255.255.255.0 192.168.0.250

This will send all traffic for the 192.168.2.x subnet through 192.168.0.250.

On SERVER2003 RRAS, you will probably need to setup a static route:

10.99.99.0 255.255.255.0 192.168.0.18


As for firewall rules, that depends on what traffic you need.  Just for ping, make sure ICMP is allowed.
0
 
CANIAuthor Commented:
Great, I actually had that setup already.  Just wanted to confirm my logic was right.  

The issue persists:  USER-PC1 cannot ping FOREFRONT TMG.  

(USER-PC1 can ping other nodes on the 192.168.0.0 network, so I believe SERVER2003 RRAS is working fine)

I believe this is because Forefront TMG is dropping packets from the 2 subnet.  I've tried adding Firewall Policies to accept traffic from the 2 subnet but it's still not working.  Additionally Forefront TMG doesn't seem to be routing packets on to the 10.99.99.0 network ... I'm thinking it's another firewall policy problem.
0
 
CANIAuthor Commented:
Thought I'd throw in that SERVER2003 RRAS can ping FOREFRONT TMG just fine.
0
 
simonlimonCommented:
Can you try pinging tmg from user 1 and see what happens under session states?

Tmg console logs and reports > logging tab

Make sure you log all traffic from192.168.2.12
0
 
CANIAuthor Commented:
Thanks for the tip on the logging.

The issue here was that the "Internal Network" as defined on TMG only contained the 192.168.0.0 Subnet.  Once I added the 192.168.0.2 subnet (Networking>Networks>Double click Internal, Add Range), it started working.  It seems that no matter what's defined in the Firewall Policy, the IPs must be defined as some kind of Network first in order to pass traffic.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now