We have MS Forefront TMG installed as a back end firewall behind a Cisco ASA connected to a dedicated NIC. There is a vendor connection being terminated by their device (Cisco 2800 series router) and is handed off to our TMG on a dedicated NIC. This vendor connection has been in use for over a year now successfully. Our production network is connected to a separate dedicated NIC on the TMG.
Remote Device<===>Remote ASA<===>Local ASA<===>Cisco 3900 Router<===>Layer 2 Switch<===>Forefront TMG<===>Vendor Router<===>Vendor Network
We have added another location across a VPN tunnel terminated by the ASA. We are attempting to get the new remote location to talk successfully to the vendor's network and are having issues.
We have added the new locations subnet to the 'Internal' TMG network & to the appropriate existing firewall policies.
When we are watching live logging on the TMG server we can see successful outbound connections to the vendors network sourced from the new remote network, but the return traffic from the vendors network is being denied as a spoofing attack.