We help IT Professionals succeed at work.

Forefront TMG Routing between internal and perimiter network

xiss
xiss asked
on
Hi everyone,

I have created the following situation.  

Situation
When I login to the Forefront TMG machine I CAN ping to 172.30.15.1 (the Internal interface of the Juniper) but when I login to another machine on our DC network (1) I can't ping. I have added the route "route add 172.30.15.0 MASK 255.255.255.0 192.168.100.253" but this does not matter. When I connect my laptop to point (3) (instead of the Forefront TMG) I can also ping the Juniper. So Í think the routing between the internal interface of the forefront and the perimeter interface is not working?

Regards,

Kasper
Comment
Watch Question

BRONZE EXPERT
Top Expert 2007

Commented:
There is no need to add 172.30.15/24 route on srx100 as it is a directly connected interface.

Depending if your Forefront is doing NAT for 192.168.100/24 network or if not you would need a route for 192.168.100/24 network on srx100.
set routing-options static route add 192.168.100.x/specific-mask next-hop 172.30.15.253.

If Forefront is doing NAT; then above route is not needed as Juniper would see all packets coming from 172.30.15/24 subnet.

Please implement and update.

Thank you.

Author

Commented:
I have to add this rule "set routing-options static route add 192.168.100.x/specific-mask next-hop 172.30.15.253" to my juniper?

Author

Commented:
But why does it work when I ping the juniper from the forefront but not when I ping it from any other machine behind the inside interface of the forefront?
BRONZE EXPERT
Top Expert 2007
Commented:
When you send traffic from forefront the source IP on the packet is 172.30.15.x; to which Juniper has a directly connected interface and hence also a route to forward packets to that subnet through a physical interface.
When you ping, host behind forfront, and assuming that forefront does not NAT the source IP of the packet; SRX receives the packet with source as 192.168.100.x; Juniper does not have a route to this IP subnet; if it has default route then it would send traffic out that interface; so in this case the packet either gets dropped or forwarded out a different interface than what was intended and hence you do not get any response.

Please implement and update.

Thank you.

Author

Commented:
Thanks for your comments!

As I see this you are seeing this from the Juniper's perspective? But does this also apply when I try to connect from my hosts behind the forefront's inside interface to the junipers inside interface? That I cannot access the hosts behind the forefront's inside interface from the juniper is not a problem because I want to connect from inside the datacenter network TO the juniper.

Author

Commented:
Perfect answer thank you!
BRONZE EXPERT
Top Expert 2007

Commented:
Happy could help! :)