• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1091
  • Last Modified:

Forefront TMG 2010 and Cisco Routing

I have a forefront TMG 2010 firewall configured in an edge configuration.

our internal network has three subnets

192.168.2.0/24 - Internal network NIC address 192.168.2.3
10.1.0.0/16 - Internal network (Cisco 4507 routed through 192.168.2.1)

All PC's on the 192 subnet have a default gateway of 192.168.2.3
All PC's on the 10. subnet go to 10.1.1.6 (Address of cisco router)
the Vlan on the 192 subnet has an interface address of 192.168.2.1

In TMG networking the internal network is defined with both subnets and I have a network topology route of 10.1.0.0 MASK 255.255.255.0 192.168.2.1 METRIC 256

Forefront keeps thinking that traffic from the 10.1.0.0 network is spoofed. I keep getting "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer"
0
joepinter
Asked:
joepinter
  • 3
  • 2
1 Solution
 
BembiCEOCommented:
The "A non-SYN packet was dropped" message usually comes up, if a packet doesn#t come back the same way like it went out.
In this case, TMG get a response from a packet, which is not send via TMG.

What you have to check is the traffic flow from your 10x Network. As you said, the gateway in this network is the cisco device, the responses may hit TMG (i.e. if routet this way) and this is denied. All traffic, which comes back via TMG has to go out via TMG.
0
 
joepinterAuthor Commented:
When I look a the logs on the tmg it says the most dropped packets come from 192.168.2.1. This would be the return traffic from the 10. Network.  Is there anyway to tell tmg this is allowed?
0
 
BembiCEOCommented:
There is no way no allow NON-SYN Packets in TMG. You have to make sure, that your routing is correct.

A client always follows its default gateway (or for HTTP, HTTPS, FTP possibley the proxy settings). So if you send a packet from the client to TMG, TMG forwards or routes the packet to your DMZ, and the DMZ server connects to your CISCO (default gateway) and Cisco back to TMG, then you have exacly this situation. This traffic is blocked.  

From your description, I understood that TMG has two internal adress ranges. What is not quite clear for me is, where the cisco is in place, and what is the job of the cisco device.
A small picture would help with TMG, Cisco, 1 x 10 x client, 1x 192.x client..., possibly internet connection.
with all IPs and all gateways.
This way I can have an imagination about the traffic flow.
0
 
joepinterAuthor Commented:
After opening a support request with M$, I had to separate the networks and add another interface to the other network, issue resolved
0
 
joepinterAuthor Commented:
Called Microsoft Product Support
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now