none
authentication on forefront tmg through Cisco ASA 5510

    Question

  • I have a Cisco ASA 5510 between my ForeFront TMG server (windows server 2008R2) and the internet. Users on my internal network can connect to the Internet as well as receive mail without difficulty. In addition, outlook web access from the Internet goes through my ASA to my forefront server and on to my internal Exchange server just fine.

    I have decided to set up a vpn using L2TP/IPSec and the built-in Windows 7 vpn client. This works fine if the ASA 5510 is removed from the network (and the external nic on the forefront tmg server points to my external IP from my ISP and my ISP gateway). If the ASA is placed into the loop, the vpn fails to connect. I can connect to the ASA with the Microsoft Windows 7 vpn client but cannot authenticate.

    I also have the Cisco VPN client. It can connect to the ASA but not the internal network.

    Configuration: Internet...........Cisco ASA (outside interface ISP assigned IP, inside interface 192.168.1.1)...........Forefront TMG (external nic: 192.168.1.1, inside nic default IP gateway of LAN).

    What type of access rule do I need to create to allow the ASA to communicate with the forefront tmg server?

    Thank you very much for your assistance in advance. I very much appreciate it!

    Sunday, March 04, 2012 2:54 AM

Answers

  • turns out the ASA also by default checks L2TP/IPsec on all incoming requests on the external interface. By disabling this and forwarding the ports above and making the registry change, it is now working.

    Thanks to all for your help!

    • Marked as answer by Big Moose Monday, March 05, 2012 11:41 PM
    Monday, March 05, 2012 11:41 PM

All replies

  • Hi,

    Cisco ASA allows NAT-T?
    The client has the following Registry key set?
    http://support.microsoft.com/kb/926179/en-us


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    • Proposed as answer by Mr XMVP Sunday, March 04, 2012 4:22 PM
    • Unproposed as answer by Big Moose Monday, March 05, 2012 1:11 AM
    Sunday, March 04, 2012 11:14 AM
  • The Cisco ASA does allow NAT-T. The windows 7 client pc did have the registry key set per the support article but still will not connect. The ASA is forwarding requests on upd/500 and upd/4500 request to the external nic of the Forefront TMG server.
    Monday, March 05, 2012 1:13 AM
  • turns out the ASA also by default checks L2TP/IPsec on all incoming requests on the external interface. By disabling this and forwarding the ports above and making the registry change, it is now working.

    Thanks to all for your help!

    • Marked as answer by Big Moose Monday, March 05, 2012 11:41 PM
    Monday, March 05, 2012 11:41 PM