4 марта 2012 г. 2:54
I have a Cisco ASA 5510 between my ForeFront TMG server (windows server 2008R2) and the internet. Users on my internal network can connect to the Internet as well as receive mail without difficulty. In addition, outlook web access from the Internet goes through my ASA to my forefront server and on to my internal Exchange server just fine.
I have decided to set up a vpn using L2TP/IPSec and the built-in Windows 7 vpn client. This works fine if the ASA 5510 is removed from the network (and the external nic on the forefront tmg server points to my external IP from my ISP and my ISP gateway). If the ASA is placed into the loop, the vpn fails to connect. I can connect to the ASA with the Microsoft Windows 7 vpn client but cannot authenticate.
I also have the Cisco VPN client. It can connect to the ASA but not the internal network.
Configuration: Internet...........Cisco ASA (outside interface ISP assigned IP, inside interface 192.168.1.1)...........Forefront TMG (external nic: 192.168.1.1, inside nic default IP gateway of LAN).
What type of access rule do I need to create to allow the ASA to communicate with the forefront tmg server?
Thank you very much for your assistance in advance. I very much appreciate it!
4 марта 2012 г. 11:14
Cisco ASA allows NAT-T?
The client has the following Registry key set?
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
5 марта 2012 г. 1:13The Cisco ASA does allow NAT-T. The windows 7 client pc did have the registry key set per the support article but still will not connect. The ASA is forwarding requests on upd/500 and upd/4500 request to the external nic of the Forefront TMG server.
5 марта 2012 г. 23:41
turns out the ASA also by default checks L2TP/IPsec on all incoming requests on the external interface. By disabling this and forwarding the ports above and making the registry change, it is now working.
Thanks to all for your help!
- Помечено в качестве ответа Big Moose 5 марта 2012 г. 23:41