Solved

Forefront TMG Routing Issue

Posted on 2013-01-21
3
688 Views
Last Modified: 2013-04-27
We have MS Forefront TMG installed as a back end firewall behind a Cisco ASA connected to a dedicated NIC.  There is a vendor connection being terminated by their device (Cisco 2800 series router) and is handed off to our TMG on a dedicated NIC.  This vendor connection has been in use for over a year now successfully.  Our production network is connected to a separate dedicated NIC on the TMG.

Remote Device<===>Remote ASA<===>Local ASA<===>Cisco 3900 Router<===>Layer 2 Switch<===>Forefront TMG<===>Vendor Router<===>Vendor Network
                            ^
                           ||
                            v
                Production Network

We have added another location across a VPN tunnel terminated by the ASA.  We are attempting to get the new remote location to talk successfully to the vendor's network and are having issues.
We have added the new locations subnet to the 'Internal' TMG network & to the appropriate existing firewall policies.
When we are watching live logging on the TMG server we can see successful outbound connections to the vendors network sourced from the new remote network, but the return traffic from the vendors network is being denied as a spoofing attack.
0
Comment
Question by:sovran
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38804225
Run the best practice analyser first to get a picture of the addresses TMG believes are being spoofed.

Spoofing errors are of two kinds - real,,, in which case it's a BIG problem or a simple configuration error where specific IP traffic is being identified coming into one TMG network entity definition but TMG is configured to expect those IP addresses to arrive at a different network network entity definition.

The main config error for spoofing again comes in two types.

The first being that the remote site has overlapping subnets with yours which is a no-no of course and second that the new network entity created for the VPN has not covered all of the ip addresses in the range including the network id and the broadcast address. For example, if the remote subnet was 192.168.10.0/24 then the network entity would need to be defined as 192.168.10.0 - 192.168.10.255.
0
 

Accepted Solution

by:
sovran earned 0 total points
ID: 39101456
Turned out the vendor on the remote side configured two of their devices to communicate on the same port to our network.  So it was real, just not something that we could fix.  Once they made the change we were up and running.
0
 

Author Closing Comment

by:sovran
ID: 39117201
Solved
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now