Cisco VPN traffic identified as Spoofed in TMG

Posted on 2013-01-17
Medium Priority
Last Modified: 2013-01-20

We have 2 gateways, one using a Cisco IOS firewall and a MS TMG 2010.

I would like to allow traffic from the Cisco VPN through to the DMZ off the TMG, however the TMG is detecting the traffic as spoofed:

A packet was dropped because Forefront TMG determined that the source IP address is spoofed

The subnet for the VPN is 172.16.189.x, which is a completely different subnet to the internal network.

I have ensured the VPN traffic is being routed to the DMZ successfully, and added the VPN subnet to the Internal Network section under the Networks tab of Networking in TMG. I booted the server too, however the traffic is still being denied in the TMG logging.

I think I may have missed something in defining the network in TMG, but I cannot see where.
Question by:GlennCameron
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 38789728
LVL 51

Accepted Solution

Keith Alabaster earned 1200 total points
ID: 38791973
Generally speaking, spoofing is caused by omitting either the network id (for example the .0) or the broadcast address (the .255) from the network range in the TMG gui - networking tabs.

Run the best practice analyser which will normally pull it up as well. Exactly which ip addresses are being identified as spoofed? It will tell you in the monitoring - alerts tab if you have not recorded them.

Always better to fix something rather than just disable the alert message.

Expert Comment

ID: 38795812
i thinks you should create a rule for your internal traffic to by pass tmg

like internal is 172.17.0.X
now allow whole 172.17.0.x on new rule

hope it helps

Author Closing Comment

ID: 38799520
The Best Practise Analyser entries lead me to this: http://tmgblog.richardhicks.com/2011/05/11/forefront-tmg-2010-configuration-error-alert/

Adding routes for the VPN range resolved the spoofing issue.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38800016
Excellent, good news. Thanks.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question