pix 501 and win 2000 sever cannot see network

OK, first time so bear with me.

I think the pix config is OK. I can vpn to the win2000 server and get authorisation on the network.  I have checked the log for IAS and has picked up the login.  Im running PPTP and used 'show vpdn' and all looks fine. I can ping the server and a worksta but thats it!!

Don't know if this is the right place for this question but I've been working on this for an age and have can to the end of my experience. This is my pix config if it will help.

:
PIX Version 6.3(1)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password 8Ry2YjIyt7RRXU24 encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname pi          
domain-name ciscopix.com                        
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
names    
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.224                                                                              
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 213.121.*.* 255.255.255.240                                                  
ip address inside 192.168.254.2 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool mypool 192.168.254.40-192.168.254.50                                              
pdm location 192.168.254.8 255.255.255.255 inside                                                
pdm location 192.168.254.0 255.255.255.224 outside                                                
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
route outside 0.0.0.0 0.0.0.0 213.121.*.* 1                                              
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server alan protocol radius                              
aaa-server alan (inside) host 192.168.254.8 alan timeout 10                                                          
http server enable                  
http 192.168.254.0 255.255.255.0 inside                                      
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local mypool
vpdn group PPTP-VPDN-GROUP client authentication aaa alan
vpdn group PPTP-VPDN-GROUP client accounting alan
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
dhcpd address 192.168.254.3-192.168.254.34 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8eb111176718427c2626d7a786879652
: end
alanhpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Try changing this:
   >access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.224

to this:
    access-list inside_outbound_nat0_acl permit ip any 192.168.254.32 255.255.255.224

0
alanhpAuthor Commented:
yes done that and no luck. I also added permit protocol pptp 1723 and directed the dnc to the server 192.168.254.8 and still no luck. I have removed these lines now.

When i go to my network places to view the network I get network not accessable contact administrator.
0
alanhpAuthor Commented:
Yup, got over this, changed client-vendor protocol from Radius standard to microsoft in IAS.  I can see my computer on the Network but no other, even when I search.  I seems that I am not going past the IAS?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
Can you ping anything on the LAN by IP address?
Yes? Do you have WINS server?
           No? Try an LMHOSTS file on the client PC.
No, can't ping? We'll keep trying other things...
0
lrmooreCommented:
Try this LMHOSTS article. All you should need is the server's IP and the domain entry. You don't need every system in your file.

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/support/kb/articles/Q180/0/94.ASP 
0
alanhpAuthor Commented:
can ping server and worksta on LAN by IP.  Do not have a WINS server and have used LMHOSTS on client PC, checked by using nbtsat -c

no luck in seeing the network, an information entry is in the event viewer stating the user was granted access
0
lrmooreCommented:
If the client PC is in a workgroup, try chaning that workgroup to be the same name as the domain. Can you ping the server by name?
0
alanhpAuthor Commented:
client workgroup name is the same as the domain but I cannot ping by name.
0
lrmooreCommented:
>checked by using nbtsat -c
So you get the correct name and IP address in the cache, but still can't ping by name? That only makes sense if you have the wrong IP address in the LMHOSTS file.
Did you follow all the explicit rules for the LMHOSTS file?
Is your PC XP? Be sure to explicitly enable Netbios over TCP/IP
Enable NetBios over TCP/IP in WIndows XP

   Click Start, click Control Panel
   Click Network Connections.
   Right-click "Local Area Connection", and then click "Properties".
   Click on (highlight) "Internet Protocol (TCP/IP)", and then click "Properties" button
   Click the General tab, and then click "Advanced" button , bottom right.
   Click the WINS tab.
   Under "NetBIOS setting" section, click Enable NetBIOS over TCP/IP, and then click OK two times, the "close".
     ( ) Default
     (*) Enable NetBios
     ( ) Disable NetBios

   Reboot the computer.
0
alanhpAuthor Commented:
Yes done all that and tried another worksta as a remote.  I'm not sure if this is not a DNS problem on the server

Local Area Connection:
Node IpAddress: [192.168.1.7] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    NET            <00>  UNIQUE          192.168.1.2         502
    NET            <20>  UNIQUE          192.168.1.2         502
    TESTBED        <1C>  GROUP           192.168.254.8       -1
    TESTBED        <03>  UNIQUE          192.168.254.8       -1
    TESTBED        <00>  UNIQUE          192.168.254.8       -1
    TESTBED        <20>  UNIQUE          192.168.254.8       -1

test:
Node IpAddress: [192.168.254.44] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    ------------------------------------------------------------
    TESTBED        <1C>  GROUP           192.168.254.8       -1

C:\>ping lmj
Ping request could not find host lmj. Please check the name and try again.

C:\>ping 192.168.254.103

Pinging 192.168.254.103 with 32 bytes of data:

Reply from 192.168.254.103: bytes=32 time=3ms TTL=128
Reply from 192.168.254.103: bytes=32 time=2ms TTL=128
Reply from 192.168.254.103: bytes=32 time=2ms TTL=128
Reply from 192.168.254.103: bytes=32 time=2ms TTL=128

Net is a network feeding out to the internet, this worksta in on that network and come back thro 213.121.*.* ( pix) and joins the testbed domain.  I have tried this from a different dsl link and get the same response.
0
alanhpAuthor Commented:
went live with this on the domain last night some sales-guys we contacted were having problems with DNS will let you know how we got on.
0
alanhpAuthor Commented:
OK we still had some problems but played around with the LMHOSTS file as suggested by lrmoore and managed to get the VPN to see the network!!  thanks very much for your help.  As I have already stated this is my first time, how do the points get awrded to lrmoore?
0
lrmooreCommented:
Simply use the "accept" button on the appropriate comment, then you will be give a change to assign a grade.

Thanks!

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alanhpAuthor Commented:
Thank-you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.