Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco VPN traffic identified as Spoofed in TMG

Posted on 2013-01-17
5
Medium Priority
?
1,489 Views
Last Modified: 2013-01-20
Hi,

We have 2 gateways, one using a Cisco IOS firewall and a MS TMG 2010.

I would like to allow traffic from the Cisco VPN through to the DMZ off the TMG, however the TMG is detecting the traffic as spoofed:

A packet was dropped because Forefront TMG determined that the source IP address is spoofed

The subnet for the VPN is 172.16.189.x, which is a completely different subnet to the internal network.

I have ensured the VPN traffic is being routed to the DMZ successfully, and added the VPN subnet to the Internal Network section under the Networks tab of Networking in TMG. I booted the server too, however the traffic is still being denied in the TMG logging.

I think I may have missed something in defining the network in TMG, but I cannot see where.
0
Comment
Question by:GlennCameron
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38789728
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1200 total points
ID: 38791973
Generally speaking, spoofing is caused by omitting either the network id (for example the .0) or the broadcast address (the .255) from the network range in the TMG gui - networking tabs.

Run the best practice analyser which will normally pull it up as well. Exactly which ip addresses are being identified as spoofed? It will tell you in the monitoring - alerts tab if you have not recorded them.

Always better to fix something rather than just disable the alert message.
0
 
LVL 6

Expert Comment

by:infoplateform
ID: 38795812
i thinks you should create a rule for your internal traffic to by pass tmg

like internal is 172.17.0.X
now allow whole 172.17.0.x on new rule

hope it helps
0
 

Author Closing Comment

by:GlennCameron
ID: 38799520
The Best Practise Analyser entries lead me to this: http://tmgblog.richardhicks.com/2011/05/11/forefront-tmg-2010-configuration-error-alert/

Adding routes for the VPN range resolved the spoofing issue.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38800016
Excellent, good news. Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question