Solved

TMG 2010 is not able access other network

Posted on 2014-11-20
3
205 Views
Last Modified: 2014-12-05
We have a Windows Server 2008 VM running Microsoft Threat Management Gateway (TMG) 2010.
It is not able to ping a set of  172.16.X.X default gateways on our network.

The Network Topology Routes and Active Server Routes show the appropriate subnets and next hop.
The next hop (Vyatta) has the proper entries. I know this because we also have a sonicwall that pings to the 172.16.X.X subnets just fine and its next hop is the Vyatta as well.

See picture for ping paths.
Only pertinent entries were labeled.
Ping-Path.png
Troubleshooting already performed:
-Rebooted TMG twice
-Removed routing entries and entered them again
-Ensured that the 172.16.X.X subnets are fully allowed to talk back and forth to the TMG LAN network.
-Looked for info on the internet related to this issue (no luck so far)

Note: TMG used to be the default gateway for the 172.16.X.X interfaces until I got a new Layer 3 solution and then deleted the interfaces from the server and VM. I spoke to VMware yesterday and they said from their end, there isn't anything hung up in the VM. I am partially thinking that TMG has something hung up in it about the old default gateways and won't go out to the appropriate next hop when looking for the 172.16.X.X subnets.

Any help would be appreciated.
Ping-Path.png
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 40456855
First thing - to talk FROM TMG itself you need to set source to Localhost instead of the Internal ranges on TMG in any rule you make to allow traffic from it.

Second, I cant see a 10.50.0.0/16 address on the L3 device.
0
 
LVL 3

Accepted Solution

by:
Barry Molenwijk earned 375 total points
ID: 40464585
Your NEXT HOP (I assume that's your gateway) on Vyatta and the TMG are different.

On Vyatta it's 10.0.1.50 and on the TMG it's 10.0.1.0. What you could do is add a persistent route which routs traffic to 172.16.2.0/24 and 172.16.3.0/24 out of the NIC that's connected to gateway 10.0.1.50.

route -p add 172.16.2.0 MASK 255.255.255.0 10.0.1.50
route -p add 172.16.3.0 MASK 255.255.255.0 10.0.1.50

That should work if 10.0.1.50 is your gateway.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40483325
Both suggestions kind of led me to the solution. It turns out the some of the subnets had duplicate route entries. The TMG GUI looked fine but when I did a "route print" from the command line, the subnets had a route for the internal interface and a route for the WAN interface. Half the packets were going out the WAN!

I entered the command like this to fix it:
(only an example)
route delete 172.16.2.0 & route add 172.16.2.0 mask 255.255.255.0 10.0.1.1 -p

172.16.2.0 is the destination
255.255.255.0 is the subnet mask
10.0.1.1 is the next hop gateway
-p makes the route persistent and stores it in the registry

by deleting and adding the route in the same command, it ensures that any current connections are not lost.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question