NAT to L2TP VPN Server behind a Cisco ASA


I am configuring my network as follows:

Cisco ASA 5510
DMZ / Perimeter Network
Microsoft TMG 2010

I have configured L2TP VPN on the TMG server and it is working beautifully if I plug into the DMZ and connect. I want to be able to connect from outside the ASA, so I entered the following on the ASA (v8.4):
object network TMGGateway
 nat (inside,outside) static 173.x.x.249
access-list outbound extended permit ip any any
access-list inbound extended permit udp any object TMGGateway eq 500
access-list inbound extended permit udp any object TMGGateway eq 5500
access-list inbound extended permit udp any object TMGGateway eq 1701
access-list inbound extended permit esp any object TMGGateway
access-group inbound in interface outside
access-group outbound in interface inside

Open in new window

The address is a secondary IP on the TMG server, not being used for anything else. Likewise the 173.x.x.249 IP is not being used for anything else. The ASA and the TMG are both performing NAT.

I try to connect from outside to 173.x.x.249 with no success. Watching the log on the TMG server shows IKE traffic but nothing being dropped. In desperation, I even tried this on the ASA:
access-list inbound extended permit ip any object TMGGateway

Open in new window

Still no luck. I must be missing something. Please help!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Program_PoserAuthor Commented:
Some further info: I watched the TMG logs while connecting from the DMZ, and it shows the IKE negotioation, then the L2TP/IPSec step. When I do the same thing from outside, it still shows the IKE, but that's all. When I turn on all debugging on the ASA, I also see the IKE, but that's all. It's as if the IKE step can't get back through the ASA to the client, so phase 2 never kicks off. Is that possible? I have a permit ip any any on the outbound ACL for the ASA. The default gateway on the TMG server is the ASA, so it should not be a routing issue.
Do it with the primary IP on both Firewalls,....then troubleshoot it from there.  There is no need to try to use an IP that "isn't used for anything else".  It is more important to use a primary IP that is the first in the binding.   I'm not saying that this by itself with fix the problem, but you need a more straightforward environment to troubleshoot from,...the last thing you want to do is create variables that can contribute to or aggravate the problem.
Program_PoserAuthor Commented:
I opened a case with Cisco TAC, but to no avail. We tried a couple things, but they say the code looks good. I'm trying Microsoft now.
Program_PoserAuthor Commented:
Turns out to be a known issue with L2TP over IPSec behind a NAT firewall. Using SSTP instead with no problems.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Program_PoserAuthor Commented:
Answered my own question by contacting Microsoft Support.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.