Link to home
Start Free TrialLog in
Avatar of Atreyu79
Atreyu79Flag for Afghanistan

asked on

Configuring TMG where "external" interface has an "internal" IP.

I have a question for the experts!

I host the domain jcghome.com here at the home office. Previously I had normal Comcast "residential" service, where TMG'S WAN IP was the public IP from Comcast. No problems accessing jcghome.com from internal network "out" and then "back" with that setup.

With their business class service, they set you up with a gateway box... which basically results in double NATting. Anyways, now nobody on the internal network can access jcghome.com (going "out" and coming back "in"). Accessing everything from outside is fine.

Here's the setup:

Public IP (DHCP)
<Comcast Business Class Gateway>
10.1.10.1 (Lan IP/Gateway)
|
|
10.1.10.10
<TMG Server 2010 Enterprise>
192.168.0.1
|
|
192.168.xxx.xxx
<My Network>


When watching the logs during requests for jcghome.com from internal machines I see some spoofing errors, with the source and destination IPs the same:

Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule: None - see Result Code
Source: Local Host (10.1.10.10:38788)
Destination: Local Host (10.1.10.10:80)
Protocol: HTTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.1.10.10


I've read about TMG and spoofing, and the predominant solution is to "add the source IP address to the network on which it's being received". Well, you can't add any IP addresses to the "External" network so that won't work in my case. Does TMG not recognize any of those "internal" addresses like 192.xx or 10.xx on the External network?

So, basically I'm looking for a solution to this. Been scratching my head over this for several days now.

And if you're wondering, yes, I do want my internal machines to access the domain by going "out" then back "in", at least for the time being. I have different parts of the website hosted on different servers, and am using TMG to send traffic to the right places.

Any help would be greatly appreciated!
SOLUTION
Avatar of als315
als315
Flag of Russian Federation image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
As a test you can try to access jcghome.com on http://10.1.10.10
If my theory is correct, you shouldn't have this error
With their business class service, they set you up with a gateway box... which basically results in double NATting.

Actually that is only true if you let Comcast do that,...and it is their default.

Get Comcast on the phone and tell them you want one  of the Public IP#s to be placed on the External nic of your TMG.  They can give multiple Public IP#s (if you pay for them) and you can connect what ever device you want to have a Public IP into their SVC box.  

When it operates in that mode it is not exactly Bridging,...yet it is not NAT'ing,...yet it is not really Routing either because the Default Gateway becomes something on Comcast's end of the line,...it is just some kind of wacky arrangement. I think the Public IP#s you use in that manner do not even match the Subnet of the Public IP of the Comcast Device,...it is like it is tunneling one Public IP Range inside another, maybe an almost "VPN/VLAN" type of thing.

Don't expect to exactly understand how their "Comcast Business Gateway" actually does what it does,...I don't think anybody understands it,...I have several of them around here on secondary Internet connections and I know I don't fully understand it,...I'm not sure of Comcast even really understands it.

But anyway,..call them up,..tell them what you want.  They will figure it out.
Avatar of Atreyu79

ASKER

Thank you all for your input!  I won't be able to try your suggestions until tonight (I'm away).  I'll follow up with the results this evening.

Thanks!
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Pwindell, that was fun to read and informative :-).  Thanks for your time.  

I'll post an dupdate and accept solutions tonight!

John
If you need help with the Split-DNS let me know. It is actually a very simple thing once you see it done.  You need to do that no matter which way you work things out with Comcast.

There are also other ways to deal with the first issue if Comcast can't figure out how to get the SVC box to work like I said.  Yes, it would be a double-NAT,...not my favorite, not my first choice,...but it would be doable.
Yes, in fact that was written by a friend of mine.  He even managed to stick my name in his second book along with some other fellow MVPs I know.

That article is kind long winded though.  It is much easier than what it might seem when you are reading that.  He's covering a lot of background details that you probably won't have to worry about.
Regarding the split-DNS, my internal domain is "JCG.COM" (not JCGHOME.COM), and my two domain controllers forward to my ISP's DNS servers for everything else.  Internally I have never resolved jcghome.com.

Is this as simple as creating a new "zone" internally for jcghome.com?  I've never had an environment where it was necessary to resolve anything other than the default Active Directory domain.

Thanks again for your time.
Yes.
One Zone for each "spelling".
If you spelled both the private and the public the same way then it would just be done in the one zone you would already have. Other than that there really isn't any difference.

You just have to remember that you have to mirror all the Public Host or CNAME records that your Public DNS Hoster is using.  You don't have to worry about other records like the MX or anything,...just the Host ("A") Records and CNAMEs.  This is because once you create the Zone then your AD/DNS becomes the authoritative DNS for that Zone as far as your Private LAN is concerned,...it will no longer use the DNS Forwarder for anything with that Domain Name

But when you mirror them it doesn't mean they are identical,...some of them on your side would point to Private LAN IPs instead of the Public IP your Public DNS Hoster is using.  It just depends on where the target resource actually resides. I guess instead of the term mirroring,...just think of it as having to "account" for all of them.

The Spoofing thing:
Make sure the Addresses Tab of the Internal Network Definition only contains the Address Range that you actually use on the LAN.  The 10.1.10.* should NOT be included.  That will definitely cause Spoofing errors.  Just because an address is part of the RFC Private Address ranges does not mean it is "private" to your LAN,...it can still be External to you.   The way you add IP Ranges to External is by not adding them anywhere else,...the External addresses are any address that is not defined anywhere else.
Thank you all for your help.  Everything is working great!

I added JCGHOME.COM as a new zone and added CNAMEs for www, mail, ftp, and smtp which convert over to wanip.jcghome.com, which resolves to 10.1.10.10.

Thanks so much for your help!