Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Forefront TMG 2010 and Cisco Routing

Posted on 2013-05-31
5
Medium Priority
?
1,047 Views
Last Modified: 2013-11-21
I have a forefront TMG 2010 firewall configured in an edge configuration.

our internal network has three subnets

192.168.2.0/24 - Internal network NIC address 192.168.2.3
10.1.0.0/16 - Internal network (Cisco 4507 routed through 192.168.2.1)

All PC's on the 192 subnet have a default gateway of 192.168.2.3
All PC's on the 10. subnet go to 10.1.1.6 (Address of cisco router)
the Vlan on the 192 subnet has an interface address of 192.168.2.1

In TMG networking the internal network is defined with both subnets and I have a network topology route of 10.1.0.0 MASK 255.255.255.0 192.168.2.1 METRIC 256

Forefront keeps thinking that traffic from the 10.1.0.0 network is spoofed. I keep getting "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer"
0
Comment
Question by:joepinter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39226564
The "A non-SYN packet was dropped" message usually comes up, if a packet doesn#t come back the same way like it went out.
In this case, TMG get a response from a packet, which is not send via TMG.

What you have to check is the traffic flow from your 10x Network. As you said, the gateway in this network is the cisco device, the responses may hit TMG (i.e. if routet this way) and this is denied. All traffic, which comes back via TMG has to go out via TMG.
0
 
LVL 1

Author Comment

by:joepinter
ID: 39227918
When I look a the logs on the tmg it says the most dropped packets come from 192.168.2.1. This would be the return traffic from the 10. Network.  Is there anyway to tell tmg this is allowed?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39230728
There is no way no allow NON-SYN Packets in TMG. You have to make sure, that your routing is correct.

A client always follows its default gateway (or for HTTP, HTTPS, FTP possibley the proxy settings). So if you send a packet from the client to TMG, TMG forwards or routes the packet to your DMZ, and the DMZ server connects to your CISCO (default gateway) and Cisco back to TMG, then you have exacly this situation. This traffic is blocked.  

From your description, I understood that TMG has two internal adress ranges. What is not quite clear for me is, where the cisco is in place, and what is the job of the cisco device.
A small picture would help with TMG, Cisco, 1 x 10 x client, 1x 192.x client..., possibly internet connection.
with all IPs and all gateways.
This way I can have an imagination about the traffic flow.
0
 
LVL 1

Accepted Solution

by:
joepinter earned 0 total points
ID: 39653577
After opening a support request with M$, I had to separate the networks and add another interface to the other network, issue resolved
0
 
LVL 1

Author Closing Comment

by:joepinter
ID: 39665314
Called Microsoft Product Support
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question