Solved

Forefront TMG Routing Issue

Posted on 2013-01-21
3
722 Views
Last Modified: 2013-04-27
We have MS Forefront TMG installed as a back end firewall behind a Cisco ASA connected to a dedicated NIC.  There is a vendor connection being terminated by their device (Cisco 2800 series router) and is handed off to our TMG on a dedicated NIC.  This vendor connection has been in use for over a year now successfully.  Our production network is connected to a separate dedicated NIC on the TMG.

Remote Device<===>Remote ASA<===>Local ASA<===>Cisco 3900 Router<===>Layer 2 Switch<===>Forefront TMG<===>Vendor Router<===>Vendor Network
                            ^
                           ||
                            v
                Production Network

We have added another location across a VPN tunnel terminated by the ASA.  We are attempting to get the new remote location to talk successfully to the vendor's network and are having issues.
We have added the new locations subnet to the 'Internal' TMG network & to the appropriate existing firewall policies.
When we are watching live logging on the TMG server we can see successful outbound connections to the vendors network sourced from the new remote network, but the return traffic from the vendors network is being denied as a spoofing attack.
0
Comment
Question by:sovran
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38804225
Run the best practice analyser first to get a picture of the addresses TMG believes are being spoofed.

Spoofing errors are of two kinds - real,,, in which case it's a BIG problem or a simple configuration error where specific IP traffic is being identified coming into one TMG network entity definition but TMG is configured to expect those IP addresses to arrive at a different network network entity definition.

The main config error for spoofing again comes in two types.

The first being that the remote site has overlapping subnets with yours which is a no-no of course and second that the new network entity created for the VPN has not covered all of the ip addresses in the range including the network id and the broadcast address. For example, if the remote subnet was 192.168.10.0/24 then the network entity would need to be defined as 192.168.10.0 - 192.168.10.255.
0
 

Accepted Solution

by:
sovran earned 0 total points
ID: 39101456
Turned out the vendor on the remote side configured two of their devices to communicate on the same port to our network.  So it was real, just not something that we could fix.  Once they made the change we were up and running.
0
 

Author Closing Comment

by:sovran
ID: 39117201
Solved
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question