I'm sure everyone is aware that Mac has released an update to OSX and iOS that removes support for PPTP VPNs. Because they are simple and almost entirely plug & play, most of our customers have PPTP VPNs set up. But with this latest update, we need to find another solution.
Both Windows and Mac clients support IKEv2, it's already configured on our Windows server, and no 3rd party VPN client is required on either OS. This solution would be completely transparent to all Windows end users, requiring us to only reconfigure Mac clients. All we need to do is set up the firewall for it.
We host the current PPTP VPN on a Windows 2012r2 server. The server is behind a CISCO ASA 5505 running ASA 8.4(7). Based on what I've researched, I need to create Access Rules and NAT Rules to forward ports 500 and 4500. I've also read that I either need to create a 1:1 static NAT for ESP or that some versions of IOS (and I presume ASA) support "IPsec NAT Transparency", which encapsulates ESP in an IP packet over port 4500 (similar to the GRE passthrough for PPTP). Unfortunately, all of the documentation regarding this feature is missing from Cisco's website and redirects to a generic "End Of Life" landing page.
I've configured Access Rules to forward UDP ports 500 and 4500. When I create NAT rules for these ports, I get the error message (from ASDM):
[ERROR] nat (inside,Outside-Comcast) static interface service udp 500 500
NAT unable to reserve ports.
I don't know why this is failing. I assume there is a conflict on the ASA, perhaps from a Cisco VPN configuration installed on the ASA by default.
I also do not know how to enable IPsec NAT Transparency or even if this version of ASA supports it.
Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.3(3)
I realize that the NAT error message is very specific to my configuration, and I can share the current running config if necessary, but I'm hoping someone might know off the top of their head "oh yeah, XYZ is on by default and you have to turn it off first".
Any advice on the IPsec NAT would be most helpful. If there is documentation that tells me if this version of ASA supports it or if there's another, newer feature we can enable that does the same thing.
Best Answer
You need to allow IPSEC passthrough on the firewall. If you have an available public IP address do a 1:1 NAT from the public IP address to the private IP address of the VPN server. All have have to do at that point is add an ACE that allows the ports to connect to the VPN server.
A discussion about this can be found on Cisco support's site. https://supportforums.cisco.com/discussion/10160506/ipsec-passthrough-asa5505