Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


NAT to L2TP VPN Server behind a Cisco ASA

Posted on 2012-04-02
Medium Priority
Last Modified: 2012-04-24

I am configuring my network as follows:

Cisco ASA 5510
DMZ / Perimeter Network
Microsoft TMG 2010

I have configured L2TP VPN on the TMG server and it is working beautifully if I plug into the DMZ and connect. I want to be able to connect from outside the ASA, so I entered the following on the ASA (v8.4):
object network TMGGateway
 nat (inside,outside) static 173.x.x.249
access-list outbound extended permit ip any any
access-list inbound extended permit udp any object TMGGateway eq 500
access-list inbound extended permit udp any object TMGGateway eq 5500
access-list inbound extended permit udp any object TMGGateway eq 1701
access-list inbound extended permit esp any object TMGGateway
access-group inbound in interface outside
access-group outbound in interface inside

Open in new window

The address is a secondary IP on the TMG server, not being used for anything else. Likewise the 173.x.x.249 IP is not being used for anything else. The ASA and the TMG are both performing NAT.

I try to connect from outside to 173.x.x.249 with no success. Watching the log on the TMG server shows IKE traffic but nothing being dropped. In desperation, I even tried this on the ASA:
access-list inbound extended permit ip any object TMGGateway

Open in new window

Still no luck. I must be missing something. Please help!
Question by:Program_Poser
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4

Author Comment

ID: 37796770
Some further info: I watched the TMG logs while connecting from the DMZ, and it shows the IKE negotioation, then the L2TP/IPSec step. When I do the same thing from outside, it still shows the IKE, but that's all. When I turn on all debugging on the ASA, I also see the IKE, but that's all. It's as if the IKE step can't get back through the ASA to the client, so phase 2 never kicks off. Is that possible? I have a permit ip any any on the outbound ACL for the ASA. The default gateway on the TMG server is the ASA, so it should not be a routing issue.
LVL 29

Expert Comment

ID: 37800944
Do it with the primary IP on both Firewalls,....then troubleshoot it from there.  There is no need to try to use an IP that "isn't used for anything else".  It is more important to use a primary IP that is the first in the binding.   I'm not saying that this by itself with fix the problem, but you need a more straightforward environment to troubleshoot from,...the last thing you want to do is create variables that can contribute to or aggravate the problem.

Author Comment

ID: 37861402
I opened a case with Cisco TAC, but to no avail. We tried a couple things, but they say the code looks good. I'm trying Microsoft now.

Accepted Solution

Program_Poser earned 0 total points
ID: 37868423
Turns out to be a known issue with L2TP over IPSec behind a NAT firewall. Using SSTP instead with no problems.

Author Closing Comment

ID: 37885358
Answered my own question by contacting Microsoft Support.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question