Link to home
Start Free TrialLog in
Avatar of joepinter
joepinterFlag for United States of America

asked on

Forefront TMG 2010 and Cisco Routing

I have a forefront TMG 2010 firewall configured in an edge configuration.

our internal network has three subnets

192.168.2.0/24 - Internal network NIC address 192.168.2.3
10.1.0.0/16 - Internal network (Cisco 4507 routed through 192.168.2.1)

All PC's on the 192 subnet have a default gateway of 192.168.2.3
All PC's on the 10. subnet go to 10.1.1.6 (Address of cisco router)
the Vlan on the 192 subnet has an interface address of 192.168.2.1

In TMG networking the internal network is defined with both subnets and I have a network topology route of 10.1.0.0 MASK 255.255.255.0 192.168.2.1 METRIC 256

Forefront keeps thinking that traffic from the 10.1.0.0 network is spoofed. I keep getting "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer"
Avatar of Bembi
Bembi
Flag of Germany image

The "A non-SYN packet was dropped" message usually comes up, if a packet doesn#t come back the same way like it went out.
In this case, TMG get a response from a packet, which is not send via TMG.

What you have to check is the traffic flow from your 10x Network. As you said, the gateway in this network is the cisco device, the responses may hit TMG (i.e. if routet this way) and this is denied. All traffic, which comes back via TMG has to go out via TMG.
Avatar of joepinter

ASKER

When I look a the logs on the tmg it says the most dropped packets come from 192.168.2.1. This would be the return traffic from the 10. Network.  Is there anyway to tell tmg this is allowed?
There is no way no allow NON-SYN Packets in TMG. You have to make sure, that your routing is correct.

A client always follows its default gateway (or for HTTP, HTTPS, FTP possibley the proxy settings). So if you send a packet from the client to TMG, TMG forwards or routes the packet to your DMZ, and the DMZ server connects to your CISCO (default gateway) and Cisco back to TMG, then you have exacly this situation. This traffic is blocked.  

From your description, I understood that TMG has two internal adress ranges. What is not quite clear for me is, where the cisco is in place, and what is the job of the cisco device.
A small picture would help with TMG, Cisco, 1 x 10 x client, 1x 192.x client..., possibly internet connection.
with all IPs and all gateways.
This way I can have an imagination about the traffic flow.
ASKER CERTIFIED SOLUTION
Avatar of joepinter
joepinter
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Called Microsoft Product Support