Hi, we have a site to site VPN set up with a TMG at one end and a Checkpoint at the other end. Behind the checkpoint are various networks (including a MPLS routed by the core and MPLS routers), behind the TMG there are some local routed networks (routed by the core, not the FW)

- All devices behind the TMG can connect to all devices behind the Checkpoint (local and over MPLS)

- All devices behind the Checkpoint (local and over MPLS) can connect to all devices behind the TMG

- All devices behind the Checkpoint (local and over MPLS) can connect to the TMG

- The TMG can only connect to the devices behind the Checkpoint and the various local networks, when trying to connect to devices over the MPLS the connections fail. When looking at the TMG logging tool we can see that connections to devices behind the checkpoint occur on the Internal interface, when attempting to connect to devices behind the Checkpoint that are over the MPLS we see that the TMG sends the packets as Local Host (using the External IP). On the checkpoint we can see packets arriving for both the local subnets and the MPLS subnets however we can also see they are coming from the two different IP's.

(Green lines are where the traffic works in both directions, Red is the one way traffic issue noted above)

How do we get the TMG to ensure all packets destined for the VPN tunnel from itself come from the Internal IP (not the External IP) ?

On TMG within Windows, Network Connection on the Advanced Setting properties window what is the order of connections?

Reference: http://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx

Hi Nathan,

Looks like the order is correct or as expected, internal interface first, external second.

Another note, looks like i misread the firewall logs when i was testing and as a result my diagram is incorrect. when the TMG tries to Ping to either server 2 or server 3 via the command prompt it is doing it on the External interface and the I'm seeing the following in the firewall log:

Ping using command prompt to server 3 (same result to server 2) (Windows Updates has the same issue accessing a server in the same site as server 3):

However when i try try to access mapped drive on server 2 (same result for server 3) it trys to go out via the Internal interface and fails:

Make sure that you have appropriate routing entries for all remote networks.

Make sure your internal network addresses includes all networks/subnets that exist behind the TMG internal interface even if they are accessbile via internal firewalls and routers...

Cheers

JJ

Hey Jason, thanks for the quick reply.

From what i can see, the internal is set up correctly, the TMG site is 10.72.0.0/16 the other side of the tunnel should be 10.0.0.0-10.70.255.255 and 10.73.0.0-10.255.255.255  (10.71.0.0/16 is not routed intentionally):

as is the route table:

adding one of the remote sites as a static doesn't help, i have tried to add 10.10.0.0/16 (over the MPLS) and 10.70.0.0/16 (other side of the tunnel) with no success....

Hello Daniel. Have you found a solution?

Cause I'm having the same problem. TMG server tries to access remote resources trough IPsec tunnel using it's external interface.

And that connections are blocked.