Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
VPN - Nat Traversal

Frage VPN - Nat Traversal

  • Montag, 7. Mai 2012 21:42
     
     
    Anmelden
    0

    Hi,

    Our 3G service provider is now having to use IP addresses beginning with 10.x.x.x natted to addresses to 41.x.x.x  as they are running out of IP addresses. Unfortunately in order for clients assigned to the 10.x.x.x range to VPN in to an organisation, the VPN gateway/Firewall must support NAT-Traversal.

    We are using TMG as our VPN gateway. It is in edge firewall mode with no other devices between the clients. It also uses PPTP as its encryption protocol. It does not support NAT-Traversal it seems as clients with 10.x.x.x addresses in 3G cannot access VPN services whereas 3G clients with 41.x.x.x addresses can.

    How can I configure NAT-Traversal in TMG?

    Tks,

    Guy

     

Alle Antworten

  • Dienstag, 8. Mai 2012 04:59
     
     
    Anmelden
    0

    Hi,

    you must allow NAT-T through TMG / Frontfirewall:

    http://technet.microsoft.com/en-us/library/bb794765.aspx
    UDP port 500 (IKE)
    UDP Port 4500 (NAT-T)
    IP protoocll 50 (ESO)

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • Dienstag, 8. Mai 2012 07:26
     
     
    Anmelden
    0

    Thanks for the feedback Marc.

    May I ask you some more specific questions?

    The rule that I need to create, is it a normal access rule or a server publishing rule?
    If it is a server publishing rule, I need to specify the IP address of my TMG server. Should that be the internal address or the public address it uses?
    What direction should each of the ports and protocols that you mentioned be set to (send/receive etc.)
    Do I need any other rules (eg. outbound rule for nat-t) or is this one rule sufficient?

    My manager seems to think that configuration needs to take place on the client side as well. I certainly hope not. Your thoughts on that would be appreciated.

    Once again, appreciate greatly your help.

    Guy

     
  • Dienstag, 8. Mai 2012 07:38
     
     
    Anmelden
    0

    Hi,

    it is a normal access rule to allow NAT-T.
    You doesn't need an outbound access rule for NAT-T when the TMG Server is your VPN endpoint. VPN clients connect directly to the TMG Server.

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • Dienstag, 8. Mai 2012 19:51
     
     
    Anmelden
    0

    Hi,

    I have created an access rule with TMG created protocols:
    - IKe Server (UDP 500)
    - NAT-T Server (UDP 4500)
    - PPTP Server (TCP 1720)
    Create ESO protocol = IP 50 and added to rule as well.
    Made source from VPN CLients, Quarantined VPN clients and tried External network as well. Added VPN Access AD group as qualified users. Placed this rule above current VPN inbound rule and then restarted server.

    No success.

    I then modified VPN network rule. Added External network as a source network. Changed network relationship to NAT.

    Still no success. Is there anything else I can try?

    Thanks.

     
  • Mittwoch, 9. Mai 2012 08:25
    Moderator
     
     
    Anmelden
    0

    Hi,

    Thank you for the post.

    You don’t need to change network relationship to NAT. And do you receive any error message in the live logging?

    Regards,

    Nick Gu - MSFT

     
  • Mittwoch, 9. Mai 2012 09:53
     
     
    Anmelden
    0

    Hi,

    The VPN clients who are issued 10.x.x.x addresses from Data provider don't even show up in live logs.
    Very strong concensus that this is a Nat-Traversal issue.
    I just dont know how to get TMG to support Nat-T as a VPN gateway.

    Guy

     
  • Montag, 14. Mai 2012 02:28
    Moderator
     
     
    Anmelden
    0

    Hi,

    Thank you for the update.

    “I just dont know how to get TMG to support Nat-T as a VPN gateway.” – For PPTP VPN, NAT traversal requires a PPTP editor in the NAT device between the client and server. PPTP does not provide special functionality for NAT traversal and depends on the intelligence in the NAT devices between the client and server to handle this properly. Please also check if there is a third party router in front of TMG server, here is a case: http://blogs.technet.com/b/isablog/archive/2009/01/07/a-pptp-client-might-fail-to-connect-to-a-vpn-server-on-the-internet-through-an-isa-server-2006.aspx.

    Regards,

    Nick Gu - MSFT

     
  • Montag, 14. Mai 2012 09:13
     
     
    Anmelden
    0

    Hi,

    Only 3rd party router in front of TMG is our ISP's Cisco router.

    In your opinion, do you think implementing SSTP on TMG would resolve this issue?

     
  • Mittwoch, 23. Mai 2012 03:25
    Moderator
     
     
    Anmelden
    0

    Hi,

    Thank you for the update.

    SSTP-based VPN clients and VPN servers can be located behind a NAT-enabled router. You can onfigure the NAT router to redirect port 443 (HTTPS) to the VPN server.

    Regards,

    Nick Gu - MSFT