xiss
asked on
Forefront TMG Routing between internal and perimiter network
Hi everyone,
I have created the following situation.
When I login to the Forefront TMG machine I CAN ping to 172.30.15.1 (the Internal interface of the Juniper) but when I login to another machine on our DC network (1) I can't ping. I have added the route "route add 172.30.15.0 MASK 255.255.255.0 192.168.100.253" but this does not matter. When I connect my laptop to point (3) (instead of the Forefront TMG) I can also ping the Juniper. So Í think the routing between the internal interface of the forefront and the perimeter interface is not working?
Regards,
Kasper
I have created the following situation.
When I login to the Forefront TMG machine I CAN ping to 172.30.15.1 (the Internal interface of the Juniper) but when I login to another machine on our DC network (1) I can't ping. I have added the route "route add 172.30.15.0 MASK 255.255.255.0 192.168.100.253" but this does not matter. When I connect my laptop to point (3) (instead of the Forefront TMG) I can also ping the Juniper. So Í think the routing between the internal interface of the forefront and the perimeter interface is not working?
Regards,
Kasper
ASKER
I have to add this rule "set routing-options static route add 192.168.100.x/specific-mas k next-hop 172.30.15.253" to my juniper?
ASKER
But why does it work when I ping the juniper from the forefront but not when I ping it from any other machine behind the inside interface of the forefront?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your comments!
As I see this you are seeing this from the Juniper's perspective? But does this also apply when I try to connect from my hosts behind the forefront's inside interface to the junipers inside interface? That I cannot access the hosts behind the forefront's inside interface from the juniper is not a problem because I want to connect from inside the datacenter network TO the juniper.
As I see this you are seeing this from the Juniper's perspective? But does this also apply when I try to connect from my hosts behind the forefront's inside interface to the junipers inside interface? That I cannot access the hosts behind the forefront's inside interface from the juniper is not a problem because I want to connect from inside the datacenter network TO the juniper.
ASKER
Perfect answer thank you!
Happy could help! :)
Depending if your Forefront is doing NAT for 192.168.100/24 network or if not you would need a route for 192.168.100/24 network on srx100.
set routing-options static route add 192.168.100.x/specific-mas
If Forefront is doing NAT; then above route is not needed as Juniper would see all packets coming from 172.30.15/24 subnet.
Please implement and update.
Thank you.