Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft VPN client problem on MPLS cloud


Please refer to follwoing text for the problem description and PPT attachments.

Host ( located at MPLS R1 wants to access Microsoft VPN (P.Q.R.S), but host is not able to access Microsoft VPN

The configuration is as follows :

We have configured tunnel from MPLS R1 and MPLS R2 the configuration is as follows :

(Location 1) On MPLS R1:

interface Tunnel201

ip address

ip access-group xyz out ( used to mark the packets form the host to any )

tunnel source serial 0 ( WAN link of router -IP addrss )

tunnel destination ( Destination IP address of the WAN link of router R2 - Reachable from router R1-WAN IP as source )

tunnel mode ipip


We have configured access-list xyz as follows :

10 permit ip any host

20 permit gre any host

(Location 2 )On MPLS R2 :

interface Tunnel201

ip address

ip access-group abc out

tunnel source Serial0/0/0 ( WAN LINK Ip addrss : Reachable from : R1WAN Link : as source Both WAN IP can ping to each other )

tunnel destination ( WAN Link Ip of router R1 )

tunnel mode ipip


We have configured access-list abc as :

10 permit ip host any ( used to classify all packets destined for

20 permit gre host any

On Cisco ASA Firewall (which is at location 1) :

access-list inside_access_in extended permit ip host any (Permited all ip suite from host

access-list inside_access_in extended permit gre host any (Permited gre protocol from host

IP address is natted to one static IP Address. and then forwarded to internet router.

The packet coming from with a destination ip address as P.Q.R.S will be under going with ip over ip encapsulation ( tunnel 201 on both routers )

On router R1 packets from are encapsulated in IP over IP mode and when these paclets reaches R2 those are de-capsulated so the source IP of packets is still ( destination IP can be any on the internet ). Exactly opposite takes place whe packets are forwarded to from router R2 to Router R1.

After recieving packet with the source address as it is natted to public ip address in ASA firewall.

After natting packet will be forwarded to internet cloud.

With this host is able to access internet properly but with Microsoft VPN client it is not working.

Has is something to do with IP over IP encapsulation in MPLS Cloud and NAT in Cisco ASA firewall as it might change the checksum of the packet.

Please share the experience thanks in advance.