Forefront TMG Site-to-Site VPN traffic one-way
Hi Everyone,
After some battle with our new ASA I finally got a Site-to-Site VPN between our office and our datacenter. Now I've got a new challenge..
From our office (172.30.10.0/24) I can connect to our datacenter network (192.168.100.0/24) and I can access the devices there. But when I want to access devices on our office network I can't connect. I used the Site-to-Site wizard from both the ASA and the forefront but It seems something is not configured on our Forefront TMG but I can't figure out what it is.
When I try to ping to a device on the office network from a client it gives me "Reply from 172.30.5.10: Destination host unreachable." and if I ping it from our Forefront TMG server it just gives me "Request timed out.". If I monitor the log of the Forefront it doesn't even mention the connection or ping...
Regards,
Kasper
After some battle with our new ASA I finally got a Site-to-Site VPN between our office and our datacenter. Now I've got a new challenge..
From our office (172.30.10.0/24) I can connect to our datacenter network (192.168.100.0/24) and I can access the devices there. But when I want to access devices on our office network I can't connect. I used the Site-to-Site wizard from both the ASA and the forefront but It seems something is not configured on our Forefront TMG but I can't figure out what it is.
When I try to ping to a device on the office network from a client it gives me "Reply from 172.30.5.10: Destination host unreachable." and if I ping it from our Forefront TMG server it just gives me "Request timed out.". If I monitor the log of the Forefront it doesn't even mention the connection or ping...
Regards,
Kasper
Last Comment
ASKER
The strange thing is that it respondse from 172.30.5.10 but I'm doing a ping to 172.30.10.10. I also created a rule allow al outbound traffic from internal / site-to-site vpn to internal / site-to-site vpn.
ASKER
See the picture.
Capture.PNG
Capture.PNG
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I solved it, there was an old route hidden. Thanks for your help!
The forefront server should contact both networks. If you can not contact other end VPN network, maybe as you say, you could create a route to this network.
For example, use
route add (IP Network) mask (network mask) gateway -p
IP Network - network IP for remote vpn network
Network MASK - remote network mask (usually 255.255.255.0)
gateway - IP for the remote VPN server (ASA)
-p to make the route persistent.
For example, use
route add (IP Network) mask (network mask) gateway -p
IP Network - network IP for remote vpn network
Network MASK - remote network mask (usually 255.255.255.0)
gateway - IP for the remote VPN server (ASA)
-p to make the route persistent.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
You can create it in Firewall policy - add access rule and then configure all the traffic beetwen both sides of your vpn to be allowed.