Go Premium for a chance to win a PS4. Enter to Win


NAT to L2TP VPN Server behind a Cisco ASA

Posted on 2012-04-02
Medium Priority
Last Modified: 2012-04-24

I am configuring my network as follows:

Cisco ASA 5510
DMZ / Perimeter Network
Microsoft TMG 2010

I have configured L2TP VPN on the TMG server and it is working beautifully if I plug into the DMZ and connect. I want to be able to connect from outside the ASA, so I entered the following on the ASA (v8.4):
object network TMGGateway
 nat (inside,outside) static 173.x.x.249
access-list outbound extended permit ip any any
access-list inbound extended permit udp any object TMGGateway eq 500
access-list inbound extended permit udp any object TMGGateway eq 5500
access-list inbound extended permit udp any object TMGGateway eq 1701
access-list inbound extended permit esp any object TMGGateway
access-group inbound in interface outside
access-group outbound in interface inside

Open in new window

The address is a secondary IP on the TMG server, not being used for anything else. Likewise the 173.x.x.249 IP is not being used for anything else. The ASA and the TMG are both performing NAT.

I try to connect from outside to 173.x.x.249 with no success. Watching the log on the TMG server shows IKE traffic but nothing being dropped. In desperation, I even tried this on the ASA:
access-list inbound extended permit ip any object TMGGateway

Open in new window

Still no luck. I must be missing something. Please help!
Question by:Program_Poser
  • 4

Author Comment

ID: 37796770
Some further info: I watched the TMG logs while connecting from the DMZ, and it shows the IKE negotioation, then the L2TP/IPSec step. When I do the same thing from outside, it still shows the IKE, but that's all. When I turn on all debugging on the ASA, I also see the IKE, but that's all. It's as if the IKE step can't get back through the ASA to the client, so phase 2 never kicks off. Is that possible? I have a permit ip any any on the outbound ACL for the ASA. The default gateway on the TMG server is the ASA, so it should not be a routing issue.
LVL 29

Expert Comment

ID: 37800944
Do it with the primary IP on both Firewalls,....then troubleshoot it from there.  There is no need to try to use an IP that "isn't used for anything else".  It is more important to use a primary IP that is the first in the binding.   I'm not saying that this by itself with fix the problem, but you need a more straightforward environment to troubleshoot from,...the last thing you want to do is create variables that can contribute to or aggravate the problem.

Author Comment

ID: 37861402
I opened a case with Cisco TAC, but to no avail. We tried a couple things, but they say the code looks good. I'm trying Microsoft now.

Accepted Solution

Program_Poser earned 0 total points
ID: 37868423
Turns out to be a known issue with L2TP over IPSec behind a NAT firewall. Using SSTP instead with no problems.

Author Closing Comment

ID: 37885358
Answered my own question by contacting Microsoft Support.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question