Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


NAT to L2TP VPN Server behind a Cisco ASA

Posted on 2012-04-02
Medium Priority
Last Modified: 2012-04-24

I am configuring my network as follows:

Cisco ASA 5510
DMZ / Perimeter Network
Microsoft TMG 2010

I have configured L2TP VPN on the TMG server and it is working beautifully if I plug into the DMZ and connect. I want to be able to connect from outside the ASA, so I entered the following on the ASA (v8.4):
object network TMGGateway
 nat (inside,outside) static 173.x.x.249
access-list outbound extended permit ip any any
access-list inbound extended permit udp any object TMGGateway eq 500
access-list inbound extended permit udp any object TMGGateway eq 5500
access-list inbound extended permit udp any object TMGGateway eq 1701
access-list inbound extended permit esp any object TMGGateway
access-group inbound in interface outside
access-group outbound in interface inside

Open in new window

The address is a secondary IP on the TMG server, not being used for anything else. Likewise the 173.x.x.249 IP is not being used for anything else. The ASA and the TMG are both performing NAT.

I try to connect from outside to 173.x.x.249 with no success. Watching the log on the TMG server shows IKE traffic but nothing being dropped. In desperation, I even tried this on the ASA:
access-list inbound extended permit ip any object TMGGateway

Open in new window

Still no luck. I must be missing something. Please help!
Question by:Program_Poser
  • 4

Author Comment

ID: 37796770
Some further info: I watched the TMG logs while connecting from the DMZ, and it shows the IKE negotioation, then the L2TP/IPSec step. When I do the same thing from outside, it still shows the IKE, but that's all. When I turn on all debugging on the ASA, I also see the IKE, but that's all. It's as if the IKE step can't get back through the ASA to the client, so phase 2 never kicks off. Is that possible? I have a permit ip any any on the outbound ACL for the ASA. The default gateway on the TMG server is the ASA, so it should not be a routing issue.
LVL 29

Expert Comment

ID: 37800944
Do it with the primary IP on both Firewalls,....then troubleshoot it from there.  There is no need to try to use an IP that "isn't used for anything else".  It is more important to use a primary IP that is the first in the binding.   I'm not saying that this by itself with fix the problem, but you need a more straightforward environment to troubleshoot from,...the last thing you want to do is create variables that can contribute to or aggravate the problem.

Author Comment

ID: 37861402
I opened a case with Cisco TAC, but to no avail. We tried a couple things, but they say the code looks good. I'm trying Microsoft now.

Accepted Solution

Program_Poser earned 0 total points
ID: 37868423
Turns out to be a known issue with L2TP over IPSec behind a NAT firewall. Using SSTP instead with no problems.

Author Closing Comment

ID: 37885358
Answered my own question by contacting Microsoft Support.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question