Site-to-site routing(?) fails (Network Steve Forum)

Site-to-site routing(?) fails

Dear community!

I would like to ask you if you could help me configuring the TMG I have here.

The network topology:

                          External
                               |
                               |
Site1 <-  IPsec  ->  TMG    <- IPsec -> Site2
                               /\
                              /  \
                             /    \
                      Internal     DMZ

Internal: 192.168.201.0/24
DMZ: 192.168.151.0/24
Site1: 192.168.21.0/24
Site2: 192.168.202.0/24

All networks have their network objects created.

The problem is: I can see and ping everything from the Internal network,
but the he site1 and site2 can only see the Internal, nor the DMZ, nor eachother.

Network rules:
#1: All protected networks ROUTE All protected networks
#2: All protected networks NAT External.

Question: Is this good enough, or should I define all the route rules each-by-each?

I am not 100% sure if the TMG is the wheakest chain in the, but I have absolutely no monitoring abilites over the Brach office routers (FritzBoxes). So:
Question: Is there any way to monitor, os sniff into the traffic the TMG sends or receives on ove of the site-to-site connections?
Can I tap into and for example capture all the PING-s that were sent out or sent troughh the tunnen between TMG and Site1?This might be a relly dumb question, but sorry, I am stuggling with this for over a month now.

Firewall rules:
#1: Tonns of publishing rules.
#2:Allow all protocolls from All protected networks, to all protected networks. (Only until i find out what is wrong.)
#3: Standard Deny all from Everywhere

Question: Should there be a Demand dial connection in RRAs when you create a site-to-site connection?
Should the site-to-site VPN appear in the routing table?

Edited by PacsoT Tuesday, November 12, 2013 4:20 PM

November 12th, 2013 6:53pm

Hi,

Yes, you need to definite the network relationship between all of them. And then you should create access rule for each one to control access between them.

For monitoring TMG, I think you can use GIF to help you to do that, please refer to the information below:

http://www.gfi.com/pages/isa-server-monitoring-security

Best Regards

Quan Gu

Edited by Quan GuMicrosoft contingent staff, Moderator Thursday, November 14, 2013 2:55 AM
Marked as answer by Quan GuMicrosoft contingent staff, Moderator Monday, November 25, 2013 2:53 AM

Free Windows Admin Tool Kit Click here and download it now

November 13th, 2013 9:36am

Thank you. I will give it a go today.

November 13th, 2013 1:27pm

Hi Quan

Does a site-to-site link need to appear in the routing table? If yes with what gateway should it appear?

Free Windows Admin Tool Kit Click here and download it now

November 13th, 2013 10:36pm

Hi,

Yes, remote site network should appear in local TMG server. Its nexthop/gateway is remote vpn server's private IP which is assigned by TMG server.

Best Regards

Quan Gu

Marked as answer by Quan GuMicrosoft contingent staff, Moderator Monday, November 25, 2013 2:53 AM

November 14th, 2013 6:01am

Hi Gu!

Sorry for disapearing, I did not had time to get to this error since then.
A short question:

My local network is: 192.168.201.0/24
Local DMZ is : 192.168.151.0/24

Site 1 is 192.16.21.0/24
Site 2 is: 192.168.202.0/24

And my Public is : 1.2.3.4

The routing table for the TMG is

===========================================================================
Interface List
 30...........................RAS (Dial In) Interface
 14...00 15 5d 52 b0 00 ......Microsoft Hyper-V Network Adapter
 15...00 15 5d 52 b0 01 ......Microsoft Hyper-V Network Adapter #2
 17...00 15 5d 52 b0 1c ......Microsoft Hyper-V Network Adapter #2
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    178.48.17.146          1.2.3.4      5
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    178.48.17.144  255.255.255.252         On-link           1.2.3.4    261
          1.2.3.4  255.255.255.255         On-link           1.2.3.4    261
    178.48.17.147  255.255.255.255         On-link           1.2.3.4    261
     192.168.21.0    255.255.255.0     192.168.21.1          1.2.3.4    261
     192.168.21.1  255.255.255.255     192.168.21.1          1.2.3.4    261
    192.168.151.0    255.255.255.0         On-link     192.168.151.1    261
    192.168.151.1  255.255.255.255         On-link     192.168.151.1    261
  192.168.151.255  255.255.255.255         On-link     192.168.151.1    261
    192.168.201.0    255.255.255.0         On-link     192.168.201.1    261
    192.168.201.1  255.255.255.255         On-link     192.168.201.1    261
   192.168.201.25  255.255.255.255         On-link    192.168.201.25    306
  192.168.201.255  255.255.255.255         On-link     192.168.201.1    261
    192.168.202.0  255.255.255.255  192.168.202.254          1.2.3.4    261
  192.168.202.254  255.255.255.255  192.168.202.254          1.2.3.4    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.201.1    261
        224.0.0.0        240.0.0.0         On-link           1.2.3.4    261
        224.0.0.0        240.0.0.0         On-link     192.168.151.1    261
        224.0.0.0        240.0.0.0         On-link    192.168.201.25    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.201.1    261
  255.255.255.255  255.255.255.255         On-link           1.2.3.4    261
  255.255.255.255  255.255.255.255         On-link     192.168.151.1    261
  255.255.255.255  255.255.255.255         On-link    192.168.201.25    306
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
     192.168.21.0    255.255.255.0     192.168.21.1     256
    192.168.202.0  255.255.255.255  192.168.202.254     256
     192.168.21.1  255.255.255.255     192.168.21.1     256
  192.168.202.254  255.255.255.255  192.168.202.254     256
===========================================================================

what I find interesting is the Interface. Should be the EXTERNAL interface listed as the INT for the VPN tunnel?
Or do you see anything strange in general?
Like before, each and every network is in a ROUTE relation. (Except of the external)

Edited by PacsoT Wednesday, January 08, 2014 1:58 PM

Free Windows Admin Tool Kit Click here and download it now

January 8th, 2014 4:35pm

This topic is archived. No further replies will be accepted.