Forefront TMG Site-to-Site VPN traffic one-way

Hi Everyone,

After some battle with our new ASA I finally got a Site-to-Site VPN between our office and our datacenter. Now I've got a new challenge..
From our office (172.30.10.0/24) I can connect to our datacenter network (192.168.100.0/24) and I can access the devices there. But when I want to access devices on our office network I can't connect. I used the Site-to-Site wizard from both the ASA and the forefront but It seems something is not configured on our Forefront TMG but I can't figure out what it is.

When I try to ping to a device on the office network from a client it gives me "Reply from 172.30.5.10: Destination host unreachable." and if I ping it from our Forefront TMG server it just gives me "Request timed out.". If I monitor the log of the Forefront it doesn't even mention the connection or ping...

Regards,
Kasper
LVL 1
xissAsked:
Who is Participating?
 
xissAuthor Commented:
Have that to. Shouldn't I create a route or something on the forefront machine?
0
 
serchlopCommented:
I think that you need to create the rule for allow traffic from the one  side of the vpn to 172.30.5.10.

You can create it in Firewall policy - add access rule and then configure all the traffic beetwen both sides of your vpn to be allowed.
0
 
xissAuthor Commented:
The strange thing is that it respondse from 172.30.5.10 but I'm doing a ping to 172.30.10.10. I also created a rule allow al outbound traffic from internal / site-to-site vpn to internal / site-to-site vpn.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
xissAuthor Commented:
See the picture.
Capture.PNG
0
 
serchlopCommented:
O, try checing if you have the network rule in networks - networks rules - you should have in source network site-to-site vpn and destination internal. If this not exist, create with route relation.
0
 
xissAuthor Commented:
I solved it, there was an old route hidden. Thanks for your help!
0
 
serchlopCommented:
The forefront server should contact both networks. If you can not contact other end VPN network, maybe as you say, you could create a route to this network.

For example, use

route add (IP Network) mask (network mask) gateway -p

IP Network - network IP for remote vpn network
Network MASK - remote network mask (usually 255.255.255.0)
gateway - IP for the remote VPN server (ASA)

-p to make the route persistent.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.