locked
TMG - A packet was dropped because its destination IP address is unreachable

    Question

  • Hi all,

         We have deployed a TMG server, and it is working has a firewall and proxy.

         The proxy is working without a problem, but we have some DMZ on a Juniper firewall that is between the TMG and the internet and we cant access to them though the TMG.

         The External Network Interface of the TMG is on 192.168.6.0 network with the default gateway 192.168.6.254 (255.255.255.0).

         The DMZ on the Juniper is on 192.168.2.0 with a default gateway 192.168.2.254 (255.255.255.0).

         If i ping from the TMG a server on that DMZ it return's : " A packet was dropped because its destination IP address is unreachable "

         I dont know whats wrong, can you help me.

    Thank you.

    Miguel Silva

    Monday, May 24, 2010 8:46 AM

Answers

  • The persistent routes look a little strange. They are already covered in the Default gateway on your External NIC. Also, no need to add a route to the 192.168.2.0 network since it appears to use default gateway. The route to the 172.28.0.0 network is necessary though.
    Friday, May 28, 2010 4:35 PM
    Answerer

All replies

  • Hi Miguel,

    So, 192.168.2.0 is a network reached via TMG's external interface? If so, you will need to make sure this subnet is excluded from your internal network definition.

    You will also need to ensure that routing is in placed for packets to return correctly via TMG. You may need static routes to achieve this...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 9:27 AM
  • Hi Jason,

     

         TMG dont allow us to use a subnet in the external if it isnt excluded in the internal...:)

         My internal range is 172.28.0.1-172.28.255.255.

         Where do i need to place those routes? In Juniper?

         So in TMG i dont need  to do anything?

    Thank you for your reply.

     

    Monday, May 24, 2010 10:27 AM
  • Hmmm...confused. Need a network diagram or overview I think...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 1:00 PM
  • Hi,

    Lets see if i can make myself clear.....:D

    My LAN address Range: 172.28.0.0 - 172.28.255.255

    My TMG LAN IP: 172.28.0.66 / Mask:255.255.255.240

    My TMG WAN IP: 192.168.6.1 /Mask: 255.255.255.0 / GW: 192.168.6.254

    My TMG has a static route in the internal interface:  172.28.0.0    255.255.0.0      172.28.0.78       1

    My Juniper has 3 DMZ : 192.168.2.0 / 192.1683.0 / 192.168.4.0

    My juniper trust interface is the 192.168.6.254

    From TMG cant reach 192.168.2.1 or 192.168.3.1, why?

    Monday, May 24, 2010 1:32 PM
  • Does the Juniper connect to the LAN or is it a front firewall between TMG and the Internet?

    What is 192.168.6.254?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, May 24, 2010 1:48 PM
  • My juniper at the moment is connectd to the LAN, but we want to remove that connection.

    The 192.168.6.254 is the Juniper connection to the LAN we want to implement, at the moment is connected directly to the TMG (is the Default gateway of the TMG).

    It was created a new subnet (192.168.6.0 ) to connect the WAN interface of the TMG and the Juniper.

    Monday, May 24, 2010 2:21 PM
  • Is TMG in NAT or route mode?

    If the Juniper is connected to the LAN, it could be that packets from TMG are being received on the DMZ interface but replies are going back to TMG via the Juniper internal interface??

    What do you see in the ISA logs when you try the PINGs? Do you see initiate, but no response?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Monday, May 24, 2010 4:00 PM
  • TMG is in route mode.

    IN TMG when i do a ping to any DMZ it appears "Denied a packet was dropped because its destination IP address is unreachable"

    From the DMZ to my external interface of TMG it appears "Denied A packet was dropped because Forefront TMG determined that the source IP address is spoofed ".


    Monday, May 24, 2010 4:47 PM
  • Have you added static routes to those subnets on the machine TMG is on? You can use the route add command or there is a UI now on TMG under the Networking area. It sounds to me like TMG does not know which interface to correctly associate those ranges with.

    You get the spoofing message when a packet arrives at an Interface in which TMG is not expecting it. This is usually because your networks are not defined correctly. Is there a Network associated with the DMZ interface?

    Monday, May 24, 2010 6:12 PM
    Answerer
  • Hi all,

     Scenario:

      Juniper has 3 DMZ. The juniper trust interface is 192.168.6.254

    The DMZ are 192.168.2.0 / 192.168.3.0 / 192.168.4.0 - all DMZ gateways are x.x.x.254 (juniper interfaces).

    The TMG WAN interface is on a subnet 192.168.6.0 with 192.168.6.1 IP.

    The TMG LAN interface IP is 172.28.0.66.

    From a LAN client i can't ping a server on DMZ 192.168.2.0, but i can ping 192.168.6.254 (the Default gateway from the TMG) and the WAN interface from the TMG (192.168.6.1).

    From the TMG i can't ping a server on DMZ 192.168.2.0, but i can ping the 192.168.6.254.

    From a desktop on the subnet 192.168.6.0 with IP 192.168.6.10 i can ping the server on the DMZ 192.168.2.0.

     

    When i log my ping from the TMG to 192.168.2.0 network i see an error message saying, " Denied Connection - IP address unreachable "

    My route print from the TMG:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.6.254      192.168.6.1    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
           172.28.0.0      255.255.0.0      172.28.0.78      172.28.0.66      6
          172.28.0.64  255.255.255.240         On-link       172.28.0.66    261
          172.28.0.66  255.255.255.255         On-link       172.28.0.66    261
          172.28.0.79  255.255.255.255         On-link       172.28.0.66    261
          192.168.2.0    255.255.255.0    192.168.6.254      192.168.6.1      6
          192.168.6.0    255.255.255.0         On-link       192.168.6.1    261
          192.168.6.1  255.255.255.255         On-link       192.168.6.1    261
        192.168.6.255  255.255.255.255         On-link       192.168.6.1    261
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link       172.28.0.66    261
            224.0.0.0        240.0.0.0         On-link       192.168.6.1    261
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link       172.28.0.66    261
      255.255.255.255  255.255.255.255         On-link       192.168.6.1    261
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
           172.28.0.0      255.255.0.0      172.28.0.78       1
              0.0.0.0          0.0.0.0    192.168.6.254  Default
              0.0.0.0          0.0.0.0    192.168.6.254  Default
              0.0.0.0          0.0.0.0    192.168.6.254  Default
          192.168.2.0    255.255.255.0    192.168.6.254       1

     

    Has you can see i already added a route to the network 192.168.2.0. Bu the result is the same.

    What am i doing wrong? What can i do to solve this issue?

     

    Thursday, May 27, 2010 3:21 PM
  • The persistent routes look a little strange. They are already covered in the Default gateway on your External NIC. Also, no need to add a route to the 192.168.2.0 network since it appears to use default gateway. The route to the 172.28.0.0 network is necessary though.
    Friday, May 28, 2010 4:35 PM
    Answerer