Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

TMG 2010 is not able access other network

Posted on 2014-11-20
3
Medium Priority
?
224 Views
Last Modified: 2014-12-05
We have a Windows Server 2008 VM running Microsoft Threat Management Gateway (TMG) 2010.
It is not able to ping a set of  172.16.X.X default gateways on our network.

The Network Topology Routes and Active Server Routes show the appropriate subnets and next hop.
The next hop (Vyatta) has the proper entries. I know this because we also have a sonicwall that pings to the 172.16.X.X subnets just fine and its next hop is the Vyatta as well.

See picture for ping paths.
Only pertinent entries were labeled.
Ping-Path.png
Troubleshooting already performed:
-Rebooted TMG twice
-Removed routing entries and entered them again
-Ensured that the 172.16.X.X subnets are fully allowed to talk back and forth to the TMG LAN network.
-Looked for info on the internet related to this issue (no luck so far)

Note: TMG used to be the default gateway for the 172.16.X.X interfaces until I got a new Layer 3 solution and then deleted the interfaces from the server and VM. I spoke to VMware yesterday and they said from their end, there isn't anything hung up in the VM. I am partially thinking that TMG has something hung up in it about the old default gateways and won't go out to the appropriate next hop when looking for the 172.16.X.X subnets.

Any help would be appreciated.
Ping-Path.png
0
Comment
Question by:Paul Wagner
3 Comments
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 375 total points
ID: 40456855
First thing - to talk FROM TMG itself you need to set source to Localhost instead of the Internal ranges on TMG in any rule you make to allow traffic from it.

Second, I cant see a 10.50.0.0/16 address on the L3 device.
0
 
LVL 3

Accepted Solution

by:
Barry Molenwijk earned 1125 total points
ID: 40464585
Your NEXT HOP (I assume that's your gateway) on Vyatta and the TMG are different.

On Vyatta it's 10.0.1.50 and on the TMG it's 10.0.1.0. What you could do is add a persistent route which routs traffic to 172.16.2.0/24 and 172.16.3.0/24 out of the NIC that's connected to gateway 10.0.1.50.

route -p add 172.16.2.0 MASK 255.255.255.0 10.0.1.50
route -p add 172.16.3.0 MASK 255.255.255.0 10.0.1.50

That should work if 10.0.1.50 is your gateway.
0
 
LVL 5

Author Closing Comment

by:Paul Wagner
ID: 40483325
Both suggestions kind of led me to the solution. It turns out the some of the subnets had duplicate route entries. The TMG GUI looked fine but when I did a "route print" from the command line, the subnets had a route for the internal interface and a route for the WAN interface. Half the packets were going out the WAN!

I entered the command like this to fix it:
(only an example)
route delete 172.16.2.0 & route add 172.16.2.0 mask 255.255.255.0 10.0.1.1 -p

172.16.2.0 is the destination
255.255.255.0 is the subnet mask
10.0.1.1 is the next hop gateway
-p makes the route persistent and stores it in the registry

by deleting and adding the route in the same command, it ensures that any current connections are not lost.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question