troubleshooting Question

Configuring TMG where "external" interface has an "internal" IP.

Avatar of Atreyu79
Atreyu79Flag for Afghanistan asked on
Software FirewallsWindows NetworkingMicrosoft Forefront ISA Server
12 Comments2 Solutions3680 ViewsLast Modified:
I have a question for the experts!

I host the domain jcghome.com here at the home office. Previously I had normal Comcast "residential" service, where TMG'S WAN IP was the public IP from Comcast. No problems accessing jcghome.com from internal network "out" and then "back" with that setup.

With their business class service, they set you up with a gateway box... which basically results in double NATting. Anyways, now nobody on the internal network can access jcghome.com (going "out" and coming back "in"). Accessing everything from outside is fine.

Here's the setup:

Public IP (DHCP)
<Comcast Business Class Gateway>
10.1.10.1 (Lan IP/Gateway)
|
|
10.1.10.10
<TMG Server 2010 Enterprise>
192.168.0.1
|
|
192.168.xxx.xxx
<My Network>


When watching the logs during requests for jcghome.com from internal machines I see some spoofing errors, with the source and destination IPs the same:

Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule: None - see Result Code
Source: Local Host (10.1.10.10:38788)
Destination: Local Host (10.1.10.10:80)
Protocol: HTTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.1.10.10


I've read about TMG and spoofing, and the predominant solution is to "add the source IP address to the network on which it's being received". Well, you can't add any IP addresses to the "External" network so that won't work in my case. Does TMG not recognize any of those "internal" addresses like 192.xx or 10.xx on the External network?

So, basically I'm looking for a solution to this. Been scratching my head over this for several days now.

And if you're wondering, yes, I do want my internal machines to access the domain by going "out" then back "in", at least for the time being. I have different parts of the website hosted on different servers, and am using TMG to send traffic to the right places.

Any help would be greatly appreciated!
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 2 Answers and 12 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros