xiss
asked on
Forefront TMG Site-to-Site VPN traffic one-way
Hi Everyone,
After some battle with our new ASA I finally got a Site-to-Site VPN between our office and our datacenter. Now I've got a new challenge..
From our office (172.30.10.0/24) I can connect to our datacenter network (192.168.100.0/24) and I can access the devices there. But when I want to access devices on our office network I can't connect. I used the Site-to-Site wizard from both the ASA and the forefront but It seems something is not configured on our Forefront TMG but I can't figure out what it is.
When I try to ping to a device on the office network from a client it gives me "Reply from 172.30.5.10: Destination host unreachable." and if I ping it from our Forefront TMG server it just gives me "Request timed out.". If I monitor the log of the Forefront it doesn't even mention the connection or ping...
Regards,
Kasper
After some battle with our new ASA I finally got a Site-to-Site VPN between our office and our datacenter. Now I've got a new challenge..
From our office (172.30.10.0/24) I can connect to our datacenter network (192.168.100.0/24) and I can access the devices there. But when I want to access devices on our office network I can't connect. I used the Site-to-Site wizard from both the ASA and the forefront but It seems something is not configured on our Forefront TMG but I can't figure out what it is.
When I try to ping to a device on the office network from a client it gives me "Reply from 172.30.5.10: Destination host unreachable." and if I ping it from our Forefront TMG server it just gives me "Request timed out.". If I monitor the log of the Forefront it doesn't even mention the connection or ping...
Regards,
Kasper
ASKER
The strange thing is that it respondse from 172.30.5.10 but I'm doing a ping to 172.30.10.10. I also created a rule allow al outbound traffic from internal / site-to-site vpn to internal / site-to-site vpn.
ASKER
See the picture.
Capture.PNG
Capture.PNG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I solved it, there was an old route hidden. Thanks for your help!
The forefront server should contact both networks. If you can not contact other end VPN network, maybe as you say, you could create a route to this network.
For example, use
route add (IP Network) mask (network mask) gateway -p
IP Network - network IP for remote vpn network
Network MASK - remote network mask (usually 255.255.255.0)
gateway - IP for the remote VPN server (ASA)
-p to make the route persistent.
For example, use
route add (IP Network) mask (network mask) gateway -p
IP Network - network IP for remote vpn network
Network MASK - remote network mask (usually 255.255.255.0)
gateway - IP for the remote VPN server (ASA)
-p to make the route persistent.
You can create it in Firewall policy - add access rule and then configure all the traffic beetwen both sides of your vpn to be allowed.