Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Forefront TMG Routing Issue

Posted on 2013-01-21
3
Medium Priority
?
773 Views
Last Modified: 2013-04-27
We have MS Forefront TMG installed as a back end firewall behind a Cisco ASA connected to a dedicated NIC.  There is a vendor connection being terminated by their device (Cisco 2800 series router) and is handed off to our TMG on a dedicated NIC.  This vendor connection has been in use for over a year now successfully.  Our production network is connected to a separate dedicated NIC on the TMG.

Remote Device<===>Remote ASA<===>Local ASA<===>Cisco 3900 Router<===>Layer 2 Switch<===>Forefront TMG<===>Vendor Router<===>Vendor Network
                            ^
                           ||
                            v
                Production Network

We have added another location across a VPN tunnel terminated by the ASA.  We are attempting to get the new remote location to talk successfully to the vendor's network and are having issues.
We have added the new locations subnet to the 'Internal' TMG network & to the appropriate existing firewall policies.
When we are watching live logging on the TMG server we can see successful outbound connections to the vendors network sourced from the new remote network, but the return traffic from the vendors network is being denied as a spoofing attack.
0
Comment
Question by:sovran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38804225
Run the best practice analyser first to get a picture of the addresses TMG believes are being spoofed.

Spoofing errors are of two kinds - real,,, in which case it's a BIG problem or a simple configuration error where specific IP traffic is being identified coming into one TMG network entity definition but TMG is configured to expect those IP addresses to arrive at a different network network entity definition.

The main config error for spoofing again comes in two types.

The first being that the remote site has overlapping subnets with yours which is a no-no of course and second that the new network entity created for the VPN has not covered all of the ip addresses in the range including the network id and the broadcast address. For example, if the remote subnet was 192.168.10.0/24 then the network entity would need to be defined as 192.168.10.0 - 192.168.10.255.
0
 

Accepted Solution

by:
sovran earned 0 total points
ID: 39101456
Turned out the vendor on the remote side configured two of their devices to communicate on the same port to our network.  So it was real, just not something that we could fix.  Once they made the change we were up and running.
0
 

Author Closing Comment

by:sovran
ID: 39117201
Solved
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question