Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2TP VPN pass through behind cisco Firewall and Router


last couple of days we have been facing an issue for a remote branch where one client PC (windows XP service pack-2) needs to connect to a remote VPN server. The communication is L2TP/IPSEC. The client succesfully connect to the remote VPN server and achieve an IP address. But the failure occurs when client is connected to one remote local server on port 443. Then their is an error message shows "The server digital certificate key is not available. Contact your network administrator ". The  network is build on the client side like this:

Windows client -> ASA firewall -> Cisco router - Internet - remote network unknown

On ASA firewall ACL allow list- udp/isakmp, esp, udp/1701, udp/4500

                    No NAT is  configured on the Firewall

On Cisco router -  1) ACL allow list - esp , ip

                           2) NAT ip nat inside source static udp 4500 interface FastEthernet0/0 4500

                                      ip nat inside source static udp 500 interface FastEthernet0/0 500

                                      ip nat inside source static esp interface FastEthernet0/0

                                      ip nat inside source static udp 1701 interface FastEthernet0/0 1701

What we have got from the client side a netstat report from the client for two scenarios. One is behind cisco router+firewall and second is behind a linux router. When the client is behind the linux router it works perfectly.We have tried from the Microsoft article to change registry value 2  when both client and server behind NAT devices ( ). But it didn't worked out. Because I think the server isn't behind a NAT device.

I have attached netstat report. I wouldn't mind to send the packet capture report too. But I would prefer to send via email.

I would appreciate for any further assist.