authentication on forefront tmg through Cisco ASA 5510


  • I have a Cisco ASA 5510 between my ForeFront TMG server (windows server 2008R2) and the internet. Users on my internal network can connect to the Internet as well as receive mail without difficulty. In addition, outlook web access from the Internet goes through my ASA to my forefront server and on to my internal Exchange server just fine.

    I have decided to set up a vpn using L2TP/IPSec and the built-in Windows 7 vpn client. This works fine if the ASA 5510 is removed from the network (and the external nic on the forefront tmg server points to my external IP from my ISP and my ISP gateway). If the ASA is placed into the loop, the vpn fails to connect. I can connect to the ASA with the Microsoft Windows 7 vpn client but cannot authenticate.

    I also have the Cisco VPN client. It can connect to the ASA but not the internal network.

    Configuration: Internet...........Cisco ASA (outside interface ISP assigned IP, inside interface TMG (external nic:, inside nic default IP gateway of LAN).

    What type of access rule do I need to create to allow the ASA to communicate with the forefront tmg server?

    Thank you very much for your assistance in advance. I very much appreciate it!

    4 марта 2012 г. 2:54


  • turns out the ASA also by default checks L2TP/IPsec on all incoming requests on the external interface. By disabling this and forwarding the ports above and making the registry change, it is now working.

    Thanks to all for your help!

    • Помечено в качестве ответа Big Moose 5 марта 2012 г. 23:41
    5 марта 2012 г. 23:41

Все ответы