https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384105#M730608 <HTML><HEAD></HEAD><BODY><DIV class="jive-rendered-content">Hello, i make tests doing all that you said, remove the PAT configuration, asign a new IP to the NAT, but the result is the same; i atach the logs with the info tath receive from the PIX.</DIV><DIV class="jive-rendered-content"><BR /></DIV><DIV class="jive-rendered-content">Regards.<BR /></DIV></BODY></HTML> Tue, 16 Feb 2010 20:00:44 GMT pedrosuero 2010-02-16T20:00:44Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384097#M730466 <P>Hello, i having problem with VPN connection from a windows PC using L2TP/IPsec, i alow all necesary protocols (GRE, ESP, PPTP, UDP-500, UDP-4500 and UDP-1701) on outside interface on PIX (version 8.0(4)), i'm perfectly connect with PPTP but when i tried with L2TP the conecction can't be established, in PIX log i can see the creating session for ports 500 and 4500, on PC have and error that the server can be reach. I'm using a ISA Server cluster for VPN Server, the configuration are like follows:</P><P></P><P>PC &lt;----&gt; PIX &lt;-----&gt; MS ISA &lt;------&gt; LAN</P><P></P><P>PC IP 10.3.0.12/28</P><P>PIX external IP 10.3.0.1/28</P><P>PIX Internal IP 172.16.0.1/28</P><P>ISA external IP 172.16.0.2/28</P><P></P><P>I'm using Static NAT for the external interface of the ISA for the VPN access with IP 10.3.0.3</P><P></P><P><SPAN class="short_text" id="result_box"><SPAN onmouseout="" onmouseover="" style="background-color: #ffffff;" title="que podria estar olvidando">What might be forgetting???</SPAN></SPAN></P><P></P><P>I will appretiated the help any one can provide me.</P> Mon, 11 Mar 2019 17:08:49 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384097#M730466 pedrosuero 2019-03-11T17:08:49Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384098#M730490 <HTML><HEAD></HEAD><BODY><P>Hi Pedro</P><P></P><P>The details given looks good.. would you have the configs handy ? Just wanted to check the CLI commands that you had used ?</P><P></P><P>Just to test, were you able to create L2TP session from inside the PIX, just to make sure the server works good ? Do you see any drops on the "show log" of PIX when you initiate L2TP from outside ? sysopt commands can be useful, but thats more for traffic initiating from inside to outside.. in your case its from internet to inside right&nbsp; ? Just curious, do you have any personal firewalls on your desktop ? You can also try opening ip any on the outside and test, just to test if the NAT and other stuff works good... are there any ACLs on the inside?</P><P></P><P>Thanks &amp; Regards</P><P>Raj</P></BODY></HTML> Fri, 12 Feb 2010 22:25:21 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384098#M730490 sachinraja 2010-02-12T22:25:21Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384099#M730508 <HTML><HEAD></HEAD><BODY><P>How about opening TCP/1723? </P></BODY></HTML> Sun, 14 Feb 2010 05:22:05 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384099#M730508 cmcbride 2010-02-14T05:22:05Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384100#M730524 <HTML><HEAD></HEAD><BODY><P>Thanks for response Raj,</P><P></P><P>I attached the config of PIX, in this config you can see that I’m use tree interfaces, one for management with security 100, one DMZ between PIX and MS ISA with security 90 and the Outside with security 0.</P><P></P><P>Answering your questions, I make tests of L2TP sessions from DMZ Sub-net (Attaching PC to this Subnet) to the MS ISA Server and works perfectly, i can't see any drop packets on PIX log when initiated L2TP session from outside, like you said the traffic are initiated from outside, but to DMZ; i turn off the Windows Firewall and the Antivirus Firewall and the result is the same, i make a test open all traffic from outside (IP, TCP, UDP, ICMP) but can connect anyway; I don't have any ACL applied to inside interface.</P><P></P><P>Sorry for my English</P><P></P><P>Regards,</P></BODY></HTML> Mon, 15 Feb 2010 21:25:44 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384100#M730524 pedrosuero 2010-02-15T21:25:44Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384101#M730547 <HTML><HEAD></HEAD><BODY><P></P><P></P><P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} </style> <![endif]--></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">Hello, </SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;"><BR /></SPAN></P><P><SPAN style="font-family: arial,helvetica,sans-serif;">thanks for reply, i already have allowed, can connect PPTP but NOT L2TP<BR /><BR />Regards.</SPAN></P></BODY></HTML> Mon, 15 Feb 2010 21:28:58 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384101#M730547 pedrosuero 2010-02-15T21:28:58Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384102#M730569 <HTML><HEAD></HEAD><BODY><P>In the outside ACL is open for pptp traffic destined to 10.3.0.3.</P><P>Shouldn't this guy be translated (currently there is no static translation for it) and someone would be reaching him with its outside ip?</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Mon, 15 Feb 2010 21:32:26 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384102#M730569 Panos Kampanakis 2010-02-15T21:32:26Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384103#M730588 <HTML><HEAD></HEAD><BODY><P>Hello, thanks for answer</P><P></P><P>The IP 10.3.0.3 is an static translation from 172.16.0.2, all traffic iniciated to 10.3.0.3 will be destinated to 172.16.0.2 that is the IP of the MS ISA Server</P><P></P><P>Regards.</P></BODY></HTML> Mon, 15 Feb 2010 23:17:52 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384103#M730588 pedrosuero 2010-02-15T23:17:52Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384104#M730599 <HTML><HEAD></HEAD><BODY><P>I would consider removing the PAT configuration for the ISA server.&nbsp; It may be conflicting with the Static NAT configuration.</P><P></P><P>global (Outside) 1 10.3.0.3 netmask 255.225.255.255</P><P></P><P>Try using a different IP number for that rather than 10.3.0.3.&nbsp; Allow the static nat to be the only thing using that IP number.</P></BODY></HTML> Mon, 15 Feb 2010 23:30:31 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384104#M730599 cmcbride 2010-02-15T23:30:31Z https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384105#M730608 <HTML><HEAD></HEAD><BODY><DIV class="jive-rendered-content">Hello, i make tests doing all that you said, remove the PAT configuration, asign a new IP to the NAT, but the result is the same; i atach the logs with the info tath receive from the PIX.</DIV><DIV class="jive-rendered-content"><BR /></DIV><DIV class="jive-rendered-content">Regards.<BR /></DIV></BODY></HTML> Tue, 16 Feb 2010 20:00:44 GMT https://community.cisco.com/t5/network-security/l2tp-ipsec-vpn-access-through-pix/m-p/1384105#M730608 pedrosuero 2010-02-16T20:00:44Z