locked
UAG Inside Network Access RRS feed

  • Question

  • Hi Everyone, 

    We have a test server running UAG that I am preparing for go-live next month, everything was working fine until I decided to add some additional approved internal network and now I am having problems connecting to any internal network. 

     

    After trying to get it working all yesterday; I decided to go back to basics using a single inside network of 192.168.104.0/24.

     

    On the client the network connector starts and assigns an IP address from the pool, but I cannot ping any devices on the approved inside network nor can I ping the internal interface IP or the UAG DHCP Server IP (192.168.111.130). I can ping inside devices from the server.

     

    See information of setup below:

     

    Internal Network

    Network: 192.168.111.0/24

    Interface IP: 192.168.111.70

    Default Gateway:

    DNS: 192.168.111.10, 192.168.114.10

     

    External Network

                    Network: 172.31.10.0/24

                    Interface IP: 172.31.10.4

                    Default Gateway:  172.31.10.254

     

    SSL Network Tunnelling Server:

                    Gateway: 192.168.111.70

                    Additional Networks: 192.168.104.0/24

                    Range: 192.168.111.130 > 192.168.111.139

     

    Forefront TMG – Networking (ISA)

                    Internal Interface Addresses:

                                    192.168.104.0 > 192.168.104.255

                                    192.168.111.0 > 192.168.111.129

                                    192.168.111.140 > 192.168.111.255

     

    Routes

    Persistent Routes:

    192.168.104.0    255.255.255.0  192.168.111.254       1

     0.0.0.0          0.0.0.0    172.31.10.254  Default

     

    Active Routes:

    127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

    127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

    172.31.10.0    255.255.255.0         On-link       172.31.10.4    286

    172.31.10.4  255.255.255.255         On-link       172.31.10.4    286

    172.31.10.5  255.255.255.255         On-link       172.31.10.4    286

    172.31.10.255  255.255.255.255         On-link       172.31.10.4    286

    192.168.104.0    255.255.255.0  192.168.111.254   192.168.111.70     11

    192.168.111.0    255.255.255.0         On-link    192.168.111.70    266

    192.168.111.70  255.255.255.255         On-link    192.168.111.70    266

    192.168.111.130  255.255.255.254         On-link   192.168.111.130    286

    192.168.111.130  255.255.255.255         On-link   192.168.111.130    286

    192.168.111.131  255.255.255.255         On-link   192.168.111.130    286

     192.168.111.132  255.255.255.252         On-link   192.168.111.130    286

    192.168.111.135  255.255.255.255         On-link   192.168.111.130    286

    192.168.111.136  255.255.255.252         On-link   192.168.111.130    286

    192.168.111.139  255.255.255.255         On-link   192.168.111.130    286

    192.168.111.255  255.255.255.255         On-link    192.168.111.70    266

    224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

    224.0.0.0        240.0.0.0         On-link       172.31.10.4    286

    224.0.0.0        240.0.0.0         On-link    192.168.111.70    266

    224.0.0.0        240.0.0.0         On-link   192.168.111.130    286

    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

    255.255.255.255  255.255.255.255         On-link       172.31.10.4    286

    255.255.255.255  255.255.255.255         On-link    192.168.111.70    266

    255.255.255.255  255.255.255.255         On-link   192.168.111.130    286

     

     

    Tuesday, September 20, 2011 10:12 AM

All replies

  • Hi richie19rich77,

    if your internal network contains more than a single network you have to do the following steps:

    1.) Add routes for the internal networks on your UAG box.

    2.) Rerun the UAG network wizard to propagate the new subnets to the UAG/TMG configuration.

    3.) Add some routes on your internal core routers so that the VPN pool addresses are getting forwarded to the internal interface of UAG.

    BTW: To enable ICMP probes to the UAG interfaces, you've to change the TMG system policies to allow PING from the VPN Client network.

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Tuesday, September 20, 2011 1:45 PM