Networking, CIDR Routing + TMG2010

Posted on 2013-01-18
Last Modified: 2013-05-19
Mission: Integrate new CIDR block.

I have recently been assigned a CIDR Block. This block will have 32 IPs in it and I need to setup the routing/nating.

Here is what i have now: 1xTMG2010 Server this server is currently used as my gateway/edge firewall, NAT, router - very similar to a Sonicwall or Netscreen.

The above scenario works like this:

1) Public IPs assigned to 1 network interface on my TMG server (64.80.x.x)
2) 1 Netgear Switch (TMG server is plugged into it)
3) Second NIC on my TMG server with a range of 192.168.1.x

The above is working as expected, i ordered more IPs because i am setting up new servers and need the additional IPs.

Here is what i need to accomplish:

I have a Netgear FVS336G, and of course my TMG server. I now need to setup CIDR based routing. I have been told by cox that if i want anymore than 8 ips i have to have my own routing hardware. << My Netgear FVS firewall does support this.

My new block is as follows:

Customer: < Gateway < Mask

WAN: : WAN IP : Mask Gateway

Internal Network: (Stays the same) All of my servers are connected on the internal network.
192.168.1.x < TMG Server, This is what i currently point my client PCs to for the default gateway.

I want to accomplish the following: 1) Have all traffic pass through both firewalls (TMG + Netgear) 2) Double-NAT is not an acceptable solution

The Netgear firewall (WAN Side) will be the device that is connected to the Cable Modem, The TMG firewall will be connected to the (LAN Side) of the firewall.

I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Can i assign 1 of my "Public IPs" on my (LAN Side) of the firewall?

And then the rest of them on my "TMG External NIC" that is connected to the LAN side of my firewall?

Thats where i am getting lost since i cant use Double-NAT but i still want to use my TMG firewall.

Sorry if this is confusing i am having a hard time understanding how to make this work correctly and am so hoping someone can assist....

Question by:castellansolutions
  • 3
  • 2
  • 2
LVL 11

Expert Comment

ID: 38795712
I want to have the public IPs on my TMG Server << And that is where i am getting lost.

Does your router support 1 to 1 NAT?

Author Comment

ID: 38795754
Yes. It does. Here is what i tried:

1) I set the ISPs WAN IP on my WAN1 port of the Netgear, i plugged that in to the cable modem.
2) I set the LAN Port on the netgear to my WAN IP
3) I enabled Classical Routing

I cannot ping anything from my laptpo which i set to 1 one of my other Public IPs. So it didnt work at all. If i enable NAT then it all works as expected except i get the external IP of my ISP. And not my static IPs.

This is with my laptop and nothing else in between.
LVL 11

Expert Comment

ID: 38795769
Wait, you are setting Public IP's on all your devices? Including your laptops? No wonder I was getting confused.

How many devices do you need to ping from the outside? IE. device you "DO NOT" want to be protected by your firewall.

This is in effect what you are doing when you give a device a public ip address directly. You also need to give that same device the ISP's DNS servers as well as the proper gateway.
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

LVL 69

Expert Comment

ID: 38798250
Set up the Netgear to route inbound traffic for the network to the "public" NIC of your TMG. You can still implement firewall rules on Netgear, if needed, but TMG should be the "main" firewall, as it controls the NATting.

On TMG implement 1:1 NAT (or service based NAT, whatever you intend to do). For 1:1 NAT see .

If done correctly, public IPs are mapped to private IPs back and forth. Tests from inside might not work, depending on how the firewall rules are defined. In addition I'm not positive the TMG handles "hair-pinned" traffic correctly.

I do NOT recommend to try to route the public IPs thru TMG, as that would require to build a third, separated network (DMZ).

Author Comment

ID: 38798807
Ok so here is an update. I was trying to get this to work using just my laptop, firewall (netgear) and my cable modem.

I put the IPs in the correct place (Customer: LAN Side) (Provider: WAN Side) and was unable to route any traffic from my IPs to the internet or even my default gateway on the WAN side. But i could ping from my WAN Side.

I called COX and sure enough my routed CIDR Block isnt being routed yet. I have a ticket open and am waiting for them to resolve the issue.

Author Comment

ID: 39178611
I've requested that this question be deleted for the following reason:

Issue self resolved
LVL 69

Accepted Solution

Qlemo earned 500 total points
ID: 39178600
Presumably it didn't resolve itself, but the routing at COX was implemented ...

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server: configure snmp security to accept subnet 7 30
Draytek (Site to Site VPN using IPSec) 6 39
BGP prefix and routing 3 60
Hit router interface limit 7 38
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question