Win2K3 L2TP VPN server behind Cisco PIX firewall - Help!

I am trying to setup a Windows 2003 L2TP VPN gateway behind a Cisco PIX
firewall, and can't seem to get this to work, despite weeks of trying off and
on.

First, I know what I'm trying to do is not a supported configuration per
Microsoft support article http://support.microsoft.com/kb/885348/, but I
don't think their security argument applies in my (or most similar PIX
configurations, for that matter) situation - I'm using a PIX with a static
translation from a dedicated public IP address different than the PIX's
outside IP address normally used for outbound PAT to a private IP address on
the VPN server, so the inbound client connection mentioned in option 2 of
their perceived security risk description would be on a different NAT
translation than the outbound client connection mentioned in option 3, so the
confusion mentioned in option 4 can not occur. Or am I missing something
here? I don't understand why Microsoft would actually disable this scenario,
since we like many security-conscious companies don't want to create a
separate path past our PIX firewall by dual-porting the VPN server across the
DMZ and back-end NAT-configured network. Any comments on this would be
appreciated.

So here's our configuration:
------------------------------------------------------------------
I have the PIX configured as follows:
: Note outside public IP is 146, different than 147 used for static NAT
translation
ip address outside x.x.x.146 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0

: Set up static translation from additional public IP to VPN server private IP
static (inside,outside) x.x.x.147 192.168.0.5 netmask 255.255.255.255 50 25

: Subset of access list applied to outside interface, allowing in L2TP
access-list outside_access_in remark permit isakmp from any to any
access-list outside_access_in permit udp any eq 500 any eq 500 log
access-list outside_access_in permit udp any eq 4500 any eq 4500 log
:access-list outside_access_in remark permit l2tp from any to any (don't
need with NAT-T?)
:access-list outside_access_in permit udp any eq 1701 any eq 1701 log
access-list outside_access_in remark permit ipsec esp from any to any
access-list outside_access_in permit esp any any log
access-group outside_access_in in interface outside

: PAT related parameters; outbound clients come from 146
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

: Permit L2TP and IPSec packets
sysopt connection permit-ipsec
sysopt connection permit-l2tp
------------------------------------------------------
VPN server has 1 private IP address: 192.168.0.5
- Running Win2k3 SP1, up to date on all fixes
- I can access the RAS on this server via PPTP and L2TP from clients on the
same subnet with no trouble, so I know it is not how we've configured this
server
------------------------------------------------------
I'm currently trying to access the VPN server with a laptop running Win2K3 SP1
but I'm having similar trouble trying to connect with a Windows XP SP2 laptop.
- When I connect the Win2K3 laptop to the NAT-network as 192.168.0.10, it
can connect to the VPN server using PPTP and L2TP with no trouble
- When I connect the laptop to the DMZ network with the public IP of
x.x.x.158,
nothing works
- On the server side, the oakley.log doesn't show anything at all when I
attempt to
connect.
- On the client side, It doesn't get past the key exchange.
- I do have the PIX configured for some IPSec site-to-site tunnels, and I'm
wondering if this problem is related to the PIX or to the Windows Client
or Server
- Per Microsoft article http://support.microsoft.com/kb/885407/, I have
updated
the registry on both the Win2Ks laptop and the Windows XP laptop as directed
(AssumeUDPEncapsulationContextOnSendRule=2)

Does anyone know if what I'm attempting to do is simply impossible? It would
seem that the 885407 registry modification, combined with Microsoft's claimed
support for NAT-T should make what I want to do possible, but I've had little
luck getting this to work, and I'm not sure if this is a Cisco or Microsoft
problem. Anyone out there know this well enough to help me?


.

Relevant Pages

  • PIX 501 - A few problems configuring
    ... Auditors like buzzwords and disks full of log files, and they seemed to believe the PIX 501 satisfied both. ... if I want the PIX to act as a VPN server I don't think that's gonna work. ... I'm thinking Cisco's "Linksys to Cisco Trade-Up Program" should be renamed to Trade-Down. ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] L2TP & Split Tunnel -
    ... some issues that have come up while trying to get L2TP ... The PIX in question has been running ... a VPN in tunnel mode that allowed cisco VPN clients to ... L2TP does not support split tunneling. ...
    (Firewall-Wizards)
  • Re: Incoming VPN issues...works for some, but not all.
    ... why do you use PIX as VPN server? ... Remote PPP peer or computer is not responding. ... > exists to provide incoming VPN authentication and DHCP to ...
    (microsoft.public.win2000.ras_routing)
  • Minimum requirements for IPSec over L2TP - PIX.
    ... PIX should not be able to manage that kind of encapsulation and I'm looking for the cheapest solution to build the tunnel. ... Moreover is it possible to split the de-encapsulation process by two and let the PIX decrypt the IPsec and forward the L2TP packets to another device that will de-encapsulate them? ...
    (comp.dcom.sys.cisco)
  • Re: L2TP/IPSEC
    ... Keep in mind that l2tp requires that the VPN server and client VPN require ... 500 UDP, and protocol 50 for ESP needs to be allowed.--- Steve ... >I am practicing with my VPN options and I have gotten PPTP to work but not ...
    (microsoft.public.win2000.networking)