Solved

Forefront TMG Routing Issue

Posted on 2013-01-21
3
754 Views
Last Modified: 2013-04-27
We have MS Forefront TMG installed as a back end firewall behind a Cisco ASA connected to a dedicated NIC.  There is a vendor connection being terminated by their device (Cisco 2800 series router) and is handed off to our TMG on a dedicated NIC.  This vendor connection has been in use for over a year now successfully.  Our production network is connected to a separate dedicated NIC on the TMG.

Remote Device<===>Remote ASA<===>Local ASA<===>Cisco 3900 Router<===>Layer 2 Switch<===>Forefront TMG<===>Vendor Router<===>Vendor Network
                            ^
                           ||
                            v
                Production Network

We have added another location across a VPN tunnel terminated by the ASA.  We are attempting to get the new remote location to talk successfully to the vendor's network and are having issues.
We have added the new locations subnet to the 'Internal' TMG network & to the appropriate existing firewall policies.
When we are watching live logging on the TMG server we can see successful outbound connections to the vendors network sourced from the new remote network, but the return traffic from the vendors network is being denied as a spoofing attack.
0
Comment
Question by:sovran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 38804225
Run the best practice analyser first to get a picture of the addresses TMG believes are being spoofed.

Spoofing errors are of two kinds - real,,, in which case it's a BIG problem or a simple configuration error where specific IP traffic is being identified coming into one TMG network entity definition but TMG is configured to expect those IP addresses to arrive at a different network network entity definition.

The main config error for spoofing again comes in two types.

The first being that the remote site has overlapping subnets with yours which is a no-no of course and second that the new network entity created for the VPN has not covered all of the ip addresses in the range including the network id and the broadcast address. For example, if the remote subnet was 192.168.10.0/24 then the network entity would need to be defined as 192.168.10.0 - 192.168.10.255.
0
 

Accepted Solution

by:
sovran earned 0 total points
ID: 39101456
Turned out the vendor on the remote side configured two of their devices to communicate on the same port to our network.  So it was real, just not something that we could fix.  Once they made the change we were up and running.
0
 

Author Closing Comment

by:sovran
ID: 39117201
Solved
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question