Solved: It's a Forefront TMG 2010

stace · ‎07-12-2014

Hi, I could use some help with an issue I'm experiencing setting up a lab environment, just getting into learning some networking. Using a 2960S-24PD-L switch, running the 'lanbase-routing' template and IOS is 15.2.

I have created a few VLANs (vlan10, vlan 20 & vlan100) & SVIs, 'ip routing' has been run and all, well most, inter-vlan routing is working. VLAN100 (IP 10.100.0.254/16) is on G1/0/24, connected to a TMG server IP 10.100.0.1/16. On the TMG server I added the routes and can connect to all vlans on the switch. The problem is any hosts on vlan10 or vlan20 can't connect to the TMG server; I can ping the SVI 10.100.0.254, but not the TMG at 10.100.0.1. All ports are configured as access ports and routing between the vlans is otherwise working. So in summary, TMG-->switch is working, switch-->TMG not so much :0).

Not sure what I'm missing but wouldn't be surprised if it's something simple I overlooked, still very much a network noob!! Any help is appreciated, I can post configs tomorrow when I get back to the switch.

Thanks.

Reza Sharifi · ‎07-14-2014

What is 10.100.0.1?

is it a firewall?

View solution in original post

Reza Sharifi · ‎07-12-2014

Hi,

The problem is any hosts on vlan10 or vlan20 can't connect to the TMG server; I can ping the SVI 10.100.0.254, but not the TMG at 10.100.0.1

Do hosts in vlan 10 and 20 have the correct default gateways?

Also, make sure the hosts don't have firewall software installed. That could prevents them from pinging and being pinged.

HTH

stace · ‎07-14-2014

Thanks Reza. The hosts are using the SVI address, so hosts on VLAN10 use 172.16.10.254/24 for the GW, and hosts on VLAN20 use 172.16.20.254/24 for the GW. VLAN100 GW is 10.100.0.254/16. From the switch itself I'm unable to ping the TMG at 10.100.0.1/16. I thought it might be a firewall on the TMG but Windoze fwall is off and I've added a rule to allow incoming pings from the internal side. I can't seem to get this working :0(

sw01#sh run
Building configuration...

Current configuration : 3139 bytes
!
! Last configuration change at 23:21:36 EST Sat Jul 12 2014
! NVRAM config last updated at 23:08:52 EST Sat Jul 12 2014
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname sw01
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
no aaa new-model
clock timezone EST -5 0
switch 1 provision ws-c2960s-24pd-l
ip routing
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet1/0/1 - 21
!
interface GigabitEthernet1/0/22
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.10.254 255.255.255.0
!
interface Vlan20
ip address 172.16.20.254 255.255.255.0
!
interface Vlan100
ip address 10.100.0.254 255.255.0.0
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.100.0.1
!
!
!
line con 0
line vty 0 4
password
login
line vty 5 15
password
login
!
end

sw01#
sw01#
sw01#
sw01#
sw01#ping 172.16.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/5 ms
sw01#ping 172.16.20.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
sw01#ping 10.100.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/5 ms
sw01#ping 10.100.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
sw01#

Reza Sharifi · ‎07-14-2014

What is 10.100.0.1?

is it a firewall?

stace · ‎07-14-2014

It's a Forefront TMG 2010 server, and looks like it is the cause. I removed it and put a Win8 host on the port and had full connectivity. So I think my switch config is good, it's my TMG config that's not!

2960s VLAN routing