Solved

Forefront TMG 2010 and Cisco Routing

Posted on 2013-05-31
5
1,019 Views
Last Modified: 2013-11-21
I have a forefront TMG 2010 firewall configured in an edge configuration.

our internal network has three subnets

192.168.2.0/24 - Internal network NIC address 192.168.2.3
10.1.0.0/16 - Internal network (Cisco 4507 routed through 192.168.2.1)

All PC's on the 192 subnet have a default gateway of 192.168.2.3
All PC's on the 10. subnet go to 10.1.1.6 (Address of cisco router)
the Vlan on the 192 subnet has an interface address of 192.168.2.1

In TMG networking the internal network is defined with both subnets and I have a network topology route of 10.1.0.0 MASK 255.255.255.0 192.168.2.1 METRIC 256

Forefront keeps thinking that traffic from the 10.1.0.0 network is spoofed. I keep getting "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer"
0
Comment
Question by:joepinter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39226564
The "A non-SYN packet was dropped" message usually comes up, if a packet doesn#t come back the same way like it went out.
In this case, TMG get a response from a packet, which is not send via TMG.

What you have to check is the traffic flow from your 10x Network. As you said, the gateway in this network is the cisco device, the responses may hit TMG (i.e. if routet this way) and this is denied. All traffic, which comes back via TMG has to go out via TMG.
0
 
LVL 1

Author Comment

by:joepinter
ID: 39227918
When I look a the logs on the tmg it says the most dropped packets come from 192.168.2.1. This would be the return traffic from the 10. Network.  Is there anyway to tell tmg this is allowed?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39230728
There is no way no allow NON-SYN Packets in TMG. You have to make sure, that your routing is correct.

A client always follows its default gateway (or for HTTP, HTTPS, FTP possibley the proxy settings). So if you send a packet from the client to TMG, TMG forwards or routes the packet to your DMZ, and the DMZ server connects to your CISCO (default gateway) and Cisco back to TMG, then you have exacly this situation. This traffic is blocked.  

From your description, I understood that TMG has two internal adress ranges. What is not quite clear for me is, where the cisco is in place, and what is the job of the cisco device.
A small picture would help with TMG, Cisco, 1 x 10 x client, 1x 192.x client..., possibly internet connection.
with all IPs and all gateways.
This way I can have an imagination about the traffic flow.
0
 
LVL 1

Accepted Solution

by:
joepinter earned 0 total points
ID: 39653577
After opening a support request with M$, I had to separate the networks and add another interface to the other network, issue resolved
0
 
LVL 1

Author Closing Comment

by:joepinter
ID: 39665314
Called Microsoft Product Support
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question