• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1640
  • Last Modified:

Forefront TMG Site-to-Site VPN traffic one-way

Hi Everyone,

After some battle with our new ASA I finally got a Site-to-Site VPN between our office and our datacenter. Now I've got a new challenge..
From our office (172.30.10.0/24) I can connect to our datacenter network (192.168.100.0/24) and I can access the devices there. But when I want to access devices on our office network I can't connect. I used the Site-to-Site wizard from both the ASA and the forefront but It seems something is not configured on our Forefront TMG but I can't figure out what it is.

When I try to ping to a device on the office network from a client it gives me "Reply from 172.30.5.10: Destination host unreachable." and if I ping it from our Forefront TMG server it just gives me "Request timed out.". If I monitor the log of the Forefront it doesn't even mention the connection or ping...

Regards,
Kasper
0
xiss
Asked:
xiss
  • 4
  • 3
2 Solutions
 
serchlopCommented:
I think that you need to create the rule for allow traffic from the one  side of the vpn to 172.30.5.10.

You can create it in Firewall policy - add access rule and then configure all the traffic beetwen both sides of your vpn to be allowed.
0
 
xissAuthor Commented:
The strange thing is that it respondse from 172.30.5.10 but I'm doing a ping to 172.30.10.10. I also created a rule allow al outbound traffic from internal / site-to-site vpn to internal / site-to-site vpn.
0
 
xissAuthor Commented:
See the picture.
Capture.PNG
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
serchlopCommented:
O, try checing if you have the network rule in networks - networks rules - you should have in source network site-to-site vpn and destination internal. If this not exist, create with route relation.
0
 
xissAuthor Commented:
Have that to. Shouldn't I create a route or something on the forefront machine?
0
 
xissAuthor Commented:
I solved it, there was an old route hidden. Thanks for your help!
0
 
serchlopCommented:
The forefront server should contact both networks. If you can not contact other end VPN network, maybe as you say, you could create a route to this network.

For example, use

route add (IP Network) mask (network mask) gateway -p

IP Network - network IP for remote vpn network
Network MASK - remote network mask (usually 255.255.255.0)
gateway - IP for the remote VPN server (ASA)

-p to make the route persistent.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now