Solved

Forefront TMG 2010 and Cisco Routing

Posted on 2013-05-31
5
964 Views
Last Modified: 2013-11-21
I have a forefront TMG 2010 firewall configured in an edge configuration.

our internal network has three subnets

192.168.2.0/24 - Internal network NIC address 192.168.2.3
10.1.0.0/16 - Internal network (Cisco 4507 routed through 192.168.2.1)

All PC's on the 192 subnet have a default gateway of 192.168.2.3
All PC's on the 10. subnet go to 10.1.1.6 (Address of cisco router)
the Vlan on the 192 subnet has an interface address of 192.168.2.1

In TMG networking the internal network is defined with both subnets and I have a network topology route of 10.1.0.0 MASK 255.255.255.0 192.168.2.1 METRIC 256

Forefront keeps thinking that traffic from the 10.1.0.0 network is spoofed. I keep getting "A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer"
0
Comment
Question by:joepinter
  • 3
  • 2
5 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39226564
The "A non-SYN packet was dropped" message usually comes up, if a packet doesn#t come back the same way like it went out.
In this case, TMG get a response from a packet, which is not send via TMG.

What you have to check is the traffic flow from your 10x Network. As you said, the gateway in this network is the cisco device, the responses may hit TMG (i.e. if routet this way) and this is denied. All traffic, which comes back via TMG has to go out via TMG.
0
 
LVL 1

Author Comment

by:joepinter
ID: 39227918
When I look a the logs on the tmg it says the most dropped packets come from 192.168.2.1. This would be the return traffic from the 10. Network.  Is there anyway to tell tmg this is allowed?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39230728
There is no way no allow NON-SYN Packets in TMG. You have to make sure, that your routing is correct.

A client always follows its default gateway (or for HTTP, HTTPS, FTP possibley the proxy settings). So if you send a packet from the client to TMG, TMG forwards or routes the packet to your DMZ, and the DMZ server connects to your CISCO (default gateway) and Cisco back to TMG, then you have exacly this situation. This traffic is blocked.  

From your description, I understood that TMG has two internal adress ranges. What is not quite clear for me is, where the cisco is in place, and what is the job of the cisco device.
A small picture would help with TMG, Cisco, 1 x 10 x client, 1x 192.x client..., possibly internet connection.
with all IPs and all gateways.
This way I can have an imagination about the traffic flow.
0
 
LVL 1

Accepted Solution

by:
joepinter earned 0 total points
ID: 39653577
After opening a support request with M$, I had to separate the networks and add another interface to the other network, issue resolved
0
 
LVL 1

Author Closing Comment

by:joepinter
ID: 39665314
Called Microsoft Product Support
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now