We help IT Professionals succeed at work.

Cannot ping VPN Network behind perimeter interface from inside Forefront TMG

xiss asked
Medium Priority
Last Modified: 2012-05-12

On the road off creating a 3-leg perimeter with one of our customers with Forefront TMG and a Juniper SRX100 on both ends I got some bumps that are almost solved ...but one.

I have created the following situation;

Network Situation
Now I have the following problem;

I can ping from my hosts on the datacenter side (1) to the internal interface of the Juniper (3) but I cannot ping the hosts on the other side of the Site-to-Site VPN. The VPN is up because when I connect my laptop to the Juniper and add the rule "route add MASK" I can access the hosts on the other side. The message on my side is "Reply from Destination host unreachable." Did I do something wrong with the routing or is it a Juniper problem?


Watch Question

Top Expert 2007
Do you have 192.168.100/24 added in the VPN config.
I think current setup is that only 172.30.15/24 subnet is added; if so,SRX would only encrypt and put packets from subnet 172.30.15/24 over the VPN tunnel; not the packets from 192.168.100/24.

Have a look at link below:

Please check and update.

Thank you.
Most Valuable Expert 2011
The Parameter Network on the TMG needs ALL the IP#s involved added to the Addresses Tab in the properties of the Network  --  --

The "Customer" needs to be sure the traffic coming out of the Tunnel is routed properly in their LAN.  If you look closley you will notice that the Tunnel is dumping the traffic into their Back-to-back DMZ and not the LAN,...if they have not properly dealt with their Firewall then it won't go anywhere.  They should have come off the "side" of their Firewall with a 3rd interface like you did.

The best way would have been to never use the Junipers at all in the first place and create the VPN directly between your TMG and their Firewall.

You also need to forget about Ping.  Allowing Ping only allows Ping,...it doesn't mean anything else is allowed.  By the same token allowing other things simply allows those other things,...it doesn't allow Ping,...so it is perfectly possible, reasonable, and proper, that the required traffic works perfectly fine while Ping does not work and is not allowed.


Both answers helped thanks!