Solved

NAT to L2TP VPN Server behind a Cisco ASA

Posted on 2012-04-02
5
1,913 Views
Last Modified: 2012-04-24
Hello,

I am configuring my network as follows:

Internet
|
Cisco ASA 5510
|
DMZ / Perimeter Network
|
Microsoft TMG 2010
|
LAN

I have configured L2TP VPN on the TMG server and it is working beautifully if I plug into the DMZ and connect. I want to be able to connect from outside the ASA, so I entered the following on the ASA (v8.4):
object network TMGGateway
 host 172.16.254.149
 nat (inside,outside) static 173.x.x.249
!
access-list outbound extended permit ip any any
access-list inbound extended permit udp any object TMGGateway eq 500
access-list inbound extended permit udp any object TMGGateway eq 5500
access-list inbound extended permit udp any object TMGGateway eq 1701
access-list inbound extended permit esp any object TMGGateway
!
access-group inbound in interface outside
access-group outbound in interface inside

Open in new window

The 172.16.254.149 address is a secondary IP on the TMG server, not being used for anything else. Likewise the 173.x.x.249 IP is not being used for anything else. The ASA and the TMG are both performing NAT.

I try to connect from outside to 173.x.x.249 with no success. Watching the log on the TMG server shows IKE traffic but nothing being dropped. In desperation, I even tried this on the ASA:
access-list inbound extended permit ip any object TMGGateway

Open in new window

Still no luck. I must be missing something. Please help!
0
Comment
Question by:Program_Poser
  • 4
5 Comments
 
LVL 5

Author Comment

by:Program_Poser
ID: 37796770
Some further info: I watched the TMG logs while connecting from the DMZ, and it shows the IKE negotioation, then the L2TP/IPSec step. When I do the same thing from outside, it still shows the IKE, but that's all. When I turn on all debugging on the ASA, I also see the IKE, but that's all. It's as if the IKE step can't get back through the ASA to the client, so phase 2 never kicks off. Is that possible? I have a permit ip any any on the outbound ACL for the ASA. The default gateway on the TMG server is the ASA, so it should not be a routing issue.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 37800944
Do it with the primary IP on both Firewalls,....then troubleshoot it from there.  There is no need to try to use an IP that "isn't used for anything else".  It is more important to use a primary IP that is the first in the binding.   I'm not saying that this by itself with fix the problem, but you need a more straightforward environment to troubleshoot from,...the last thing you want to do is create variables that can contribute to or aggravate the problem.
0
 
LVL 5

Author Comment

by:Program_Poser
ID: 37861402
I opened a case with Cisco TAC, but to no avail. We tried a couple things, but they say the code looks good. I'm trying Microsoft now.
0
 
LVL 5

Accepted Solution

by:
Program_Poser earned 0 total points
ID: 37868423
Turns out to be a known issue with L2TP over IPSec behind a NAT firewall. Using SSTP instead with no problems.
0
 
LVL 5

Author Closing Comment

by:Program_Poser
ID: 37885358
Answered my own question by contacting Microsoft Support.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring Port Access on Cisco ASA 5 33
Monitor Internet Edge Router behind Firewall 2 22
Guest Wi-Fi Time out 3 28
Anyconnect landing page login failed 2 27
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question