?
Solved

ForeFront Theat Management Gateway 2010 - Unable to ping external IP address of local host external ip address.

Posted on 2010-11-29
12
Medium Priority
?
1,426 Views
Last Modified: 2012-05-10
I've believe I've done everything necessary to allow my any pc to ping the external interface on the external host but I seems to have an issue.

My server has 4 nics.
NIC1: Internal Clients 192.168.1.x
NIC2: Perimeter Clients 192.168.2.x (our wireless clients)
NIC3: External 165.138.134.x (Internet using our T1)
NIC4: Insight Internet Provider (Internet using Broad Band, mainly for wireless clients)

I've setup dual host ISP's and that seems to be working just fine.

When I ping each of the server's nic's I get a response back from all of them but the 165.138.134.1 ip address. I've bound 165.138.134.2 to the server and I can ping that address just fine but not the .1 ip address.

I've setup ICMP (Ping) under Remote Management and ICMP under Diagnostic Services to allow from all networks(and local host). I intend to turn that off after I verified that everything is working as expected.

Any ideas? I've already setup an access rule for ping to be allowed from and to all networks(including local host).

p.s. I setup a log to monitor my pc and all my traffic is showing up except when I ping the 165.138.134.1 address. Nothing at all is showing up.

0
Comment
Question by:CubeRoot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
12 Comments
 
LVL 15

Accepted Solution

by:
Greg Besso earned 1336 total points
ID: 34243117
Just to check, you want to allow pings to hit your TMG's public-facing NIC?
Any reason why?
0
 
LVL 3

Author Comment

by:CubeRoot
ID: 34251184
I only wanted to allow it so I could see that everything is working right. I plan on turning off the ping after I know all the routing is working fine. I've messed with this for a day now and at some point it started working a little differently. I'm now able to ping the external address from the Internet but not from an Internal client. I'm swamped with administrative stuff at the moment. I'll do a full test of what is and isn't working later today and post an update.

p.s. I fear is I have a routing issue, like the return ping is being misdirected.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 664 total points
ID: 34270436
If you want to check connectivity, portqryui from MS is a better tool. You can query specific ports on the ip. Even udp responses.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Author Comment

by:CubeRoot
ID: 34346560
I was on vacation for a week. I've done some research and here's my problem. I originally had a window 2000 server with isa 2006 loaded and everything worked just fine. I'm upgraded to Windows 2008 Enterprise Edition w/ Threat Management Gateway. Everything works pretty much as expected but I do have an annoying problem. It's annoying because I don't know why and I have some hard coded dns entries on a few machines in the building that I will need to change or fix this issue. I've went over my rules and to my best ability everything looks good but here's what's happening.

Firewall Nics
192.168.1.254 Internal Network
192.168.2.254 Perimeter Network (Wireless)
165.138.134.1 External (Load balancing ISP's)
74.143.90.220 External

The Internal network has an Internal DNS Server and a DHCP Server and works as expected.
The Public wireless (Perimeter) has an DHCP Server working on the Perimeter network which directs clients to the external DNS Server (The one that the rest of the world sees) which runs on the firewall's external IP address 165.1381.134.1 & 165.138.134.2.

165.138.134.2 is working and responds to clients. 165.138.134.1 ignores all requets.

I used a pc on the internal network to ping 65.138.134.1 while logging all events for that client and nothing shows up on log.
When I ping 165.138.134.2 or 165.138.134.254(router) I get the ping results but still nothing shows up in the logs.
If I ping www.google.com I get results.

I'm thinking it's something related to the external subnet. I'm not sure where to go from here.



0
 
LVL 3

Author Comment

by:CubeRoot
ID: 34381401
The more I play with this, the more I think it just won't let me publish anything to 165.138.134.1 but to any other address is just fine.
0
 
LVL 15

Expert Comment

by:Greg Besso
ID: 34401957
Back to your original concern. Pinging is not going to tell you that everything is working properly. It's just going to expose your server in a way you don't need to expose it.

If you are publishing services, try telnet to the public IP and port you are trying to publish.
Or just try accessing the services you are publishing.
0
 
LVL 3

Author Comment

by:CubeRoot
ID: 34521143
This problem still exists but I must admit that I've moved on to more pressing issues. I'm considering that I might have a routing issue but nothing is standing out specifically.
0
 
LVL 15

Assisted Solution

by:Greg Besso
Greg Besso earned 1336 total points
ID: 34521593
Well, what is the actual root problem that you want to solve? Can you pinpoint one single publishing rule that is not working, or is outgoing traffic not working in any way that would like it to?

I think if there is a specific problem other than being able to ping the outside adapter, it will be easier to begin troubleshooting.
0
 
LVL 3

Author Comment

by:CubeRoot
ID: 34686133
I have of course a dozen or so published services, ranging from dns, email to websites. If have set the External listener to listen on 165.138.134.1 and 165.138.134.2. If I try using any of the published services on 165.138.134.1 I get no reply at all. If I try 165.138.134.2 then it works fine.

Both IP's are bound to the FTMG.
0
 
LVL 3

Author Comment

by:CubeRoot
ID: 35168593
I may revisit this issue in the future. At the moment I'm just not posting anything on the primary external ip address. If someone wants to clean this up, that's fine.
0
 
LVL 3

Author Comment

by:CubeRoot
ID: 36010738
Somewhere long the way this problem cleared itself up. I don't remember doing anything that would fix the issue but I retested the problem and it appears to be gone. Don't you love problems like this..I have no idea if the problem will return or not.
0
 
LVL 3

Author Closing Comment

by:CubeRoot
ID: 36010765
Thank you for your comments on this problem. Since the issue cleared itself up, there's no way to continue diagnosing the problem. Thank you for your efforts.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question