I am trying to setup a Windows 2003 L2TP VPN gateway behind a Cisco PIX
firewall, and can't seem to get this to work, despite weeks of trying off and
on.
First, I know what I'm trying to do is not a supported configuration per
Microsoft support article
http://support.microsoft.com/kb/885348/, but I
don't think their security argument applies in my (or most similar PIX
configurations, for that matter) situation - I'm using a PIX with a static
translation from a dedicated public IP address different than the PIX's
outside IP address normally used for outbound PAT to a private IP address on
the VPN server, so the inbound client connection mentioned in option 2 of
their perceived security risk description would be on a different NAT
translation than the outbound client connection mentioned in option 3, so the
confusion mentioned in option 4 can not occur. Or am I missing something
here? I don't understand why Microsoft would actually disable this scenario,
since we like many security-conscious companies don't want to create a
separate path past our PIX firewall by dual-porting the VPN server across the
DMZ and back-end NAT-configured network. Any comments on this would be
appreciated.
So here's our configuration:
------------------------------------------------------------------
I have the PIX configured as follows:
: Note outside public IP is 146, different than 147 used for static NAT
translation
ip address outside x.x.x.146 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
: Set up static translation from additional public IP to VPN server private IP
static (inside,outside) x.x.x.147 192.168.0.5 netmask 255.255.255.255 50 25
: Subset of access list applied to outside interface, allowing in L2TP
access-list outside_access_in remark permit isakmp from any to any
access-list outside_access_in permit udp any eq 500 any eq 500 log
access-list outside_access_in permit udp any eq 4500 any eq 4500 log
:access-list outside_access_in remark permit l2tp from any to any (don't
need with NAT-T?)
:access-list outside_access_in permit udp any eq 1701 any eq 1701 log
access-list outside_access_in remark permit ipsec esp from any to any
access-list outside_access_in permit esp any any log
access-group outside_access_in in interface outside
: PAT related parameters; outbound clients come from 146
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
: Permit L2TP and IPSec packets
sysopt connection permit-ipsec
sysopt connection permit-l2tp
------------------------------------------------------
VPN server has 1 private IP address: 192.168.0.5
- Running Win2k3 SP1, up to date on all fixes
- I can access the RAS on this server via PPTP and L2TP from clients on the
same subnet with no trouble, so I know it is not how we've configured this
server
------------------------------------------------------
I'm currently trying to access the VPN server with a laptop running Win2K3 SP1
but I'm having similar trouble trying to connect with a Windows XP SP2 laptop.
- When I connect the Win2K3 laptop to the NAT-network as 192.168.0.10, it
can connect to the VPN server using PPTP and L2TP with no trouble
- When I connect the laptop to the DMZ network with the public IP of
x.x.x.158,
nothing works
- On the server side, the oakley.log doesn't show anything at all when I
attempt to
connect.
- On the client side, It doesn't get past the key exchange.
- I do have the PIX configured for some IPSec site-to-site tunnels, and I'm
wondering if this problem is related to the PIX or to the Windows Client
or Server
- Per Microsoft article
http://support.microsoft.com/kb/885407/, I have
updated
the registry on both the Win2Ks laptop and the Windows XP laptop as directed
(AssumeUDPEncapsulationContextOnSendRule=2)
Does anyone know if what I'm attempting to do is simply impossible? It would
seem that the 885407 registry modification, combined with Microsoft's claimed
support for NAT-T should make what I want to do possible, but I've had little
luck getting this to work, and I'm not sure if this is a Cisco or Microsoft
problem. Anyone out there know this well enough to help me?
Similar Threads
Linear Mode
