Microsoft VPN through ASA 5510

I've got a few clients on our internal network that need to connect out onto the net to other networks by using microsoft VPN. They use this to retrieve mail from the exchange server sitting externally.

It seems to find the server but fails at the authentication stage.

Do I need to create a NAT for this? Our internal address range is on DHCP so I can't create a static NAT.

What ports need to be opened?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No, NAT should be running on the other side of their connection. Just make sure ports 1723 TCP and 47 IP (for GRE) are open.
condorcapeAuthor Commented:
condorcapeAuthor Commented:
Oh sorry, just saw you mentioned it :)

INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

If you want to connect from the outside to the vpn server, you have to open ports 1723 and  47 TCP and UDP .
That's using PPTP. If you are doing IPSec over L2TP it is totally different.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
condorcapeAuthor Commented:
Great, I've managed to get it working!

Thanks a mill!

Port connectivity should be taken care of by VPN, I would check for IP or DNS problems but you know your network best!  Here's your info:

Communication between Exchange Client computers and Exchange Server computers
An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service.

The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer.

If security concerns for a network infrastructure require blocking of any ports other than the ones used, then the random assignment of ports for communication with the directory and the information store can become a roadblock. To avoid this, Exchange Server versions 4.0 and later allow you to statically allocate these ports.

At this juncture, for successful communication between client and server, the firewall needs to be configured to allow TCP connections to port 135 and all statically allocated ports. If you need to monitor traffic for analysis, these are the ports to monitor.
condorcapeAuthor Commented:
Yeah, the problem is that the VPN wasn't being established.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.