pix 501 and win 2000 sever cannot see network

Posted on 2004-11-03
Last Modified: 2010-04-12
OK, first time so bear with me.

I think the pix config is OK. I can vpn to the win2000 server and get authorisation on the network.  I have checked the log for IAS and has picked up the login.  Im running PPTP and used 'show vpdn' and all looks fine. I can ping the server and a worksta but thats it!!

Don't know if this is the right place for this question but I've been working on this for an age and have can to the end of my experience. This is my pix config if it will help.

PIX Version 6.3(1)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password 8Ry2YjIyt7RRXU24 encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname pi          
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
access-list inside_outbound_nat0_acl permit ip any                                                                              
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 213.121.*.*                                                  
ip address inside                                            
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool mypool                                              
pdm location inside                                                
pdm location outside                                                
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0 0                                  
route outside 213.121.*.* 1                                              
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server alan protocol radius                              
aaa-server alan (inside) host alan timeout 10                                                          
http server enable                  
http inside                                      
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local mypool
vpdn group PPTP-VPDN-GROUP client authentication aaa alan
vpdn group PPTP-VPDN-GROUP client accounting alan
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end
Question by:alanhp
    LVL 79

    Expert Comment

    Try changing this:
       >access-list inside_outbound_nat0_acl permit ip any

    to this:
        access-list inside_outbound_nat0_acl permit ip any


    Author Comment

    yes done that and no luck. I also added permit protocol pptp 1723 and directed the dnc to the server and still no luck. I have removed these lines now.

    When i go to my network places to view the network I get network not accessable contact administrator.

    Author Comment

    Yup, got over this, changed client-vendor protocol from Radius standard to microsoft in IAS.  I can see my computer on the Network but no other, even when I search.  I seems that I am not going past the IAS?
    LVL 79

    Expert Comment

    Can you ping anything on the LAN by IP address?
    Yes? Do you have WINS server?
               No? Try an LMHOSTS file on the client PC.
    No, can't ping? We'll keep trying other things...
    LVL 79

    Expert Comment

    Try this LMHOSTS article. All you should need is the server's IP and the domain entry. You don't need every system in your file.

    How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

    Author Comment

    can ping server and worksta on LAN by IP.  Do not have a WINS server and have used LMHOSTS on client PC, checked by using nbtsat -c

    no luck in seeing the network, an information entry is in the event viewer stating the user was granted access
    LVL 79

    Expert Comment

    If the client PC is in a workgroup, try chaning that workgroup to be the same name as the domain. Can you ping the server by name?

    Author Comment

    client workgroup name is the same as the domain but I cannot ping by name.
    LVL 79

    Expert Comment

    >checked by using nbtsat -c
    So you get the correct name and IP address in the cache, but still can't ping by name? That only makes sense if you have the wrong IP address in the LMHOSTS file.
    Did you follow all the explicit rules for the LMHOSTS file?
    Is your PC XP? Be sure to explicitly enable Netbios over TCP/IP
    Enable NetBios over TCP/IP in WIndows XP

       Click Start, click Control Panel
       Click Network Connections.
       Right-click "Local Area Connection", and then click "Properties".
       Click on (highlight) "Internet Protocol (TCP/IP)", and then click "Properties" button
       Click the General tab, and then click "Advanced" button , bottom right.
       Click the WINS tab.
       Under "NetBIOS setting" section, click Enable NetBIOS over TCP/IP, and then click OK two times, the "close".
         ( ) Default
         (*) Enable NetBios
         ( ) Disable NetBios

       Reboot the computer.

    Author Comment

    Yes done all that and tried another worksta as a remote.  I'm not sure if this is not a DNS problem on the server

    Local Area Connection:
    Node IpAddress: [] Scope Id: []

                      NetBIOS Remote Cache Name Table

            Name              Type       Host Address    Life [sec]
        NET            <00>  UNIQUE         502
        NET            <20>  UNIQUE         502
        TESTBED        <1C>  GROUP        -1
        TESTBED        <03>  UNIQUE       -1
        TESTBED        <00>  UNIQUE       -1
        TESTBED        <20>  UNIQUE       -1

    Node IpAddress: [] Scope Id: []

                      NetBIOS Remote Cache Name Table

            Name              Type       Host Address    Life [sec]
        TESTBED        <1C>  GROUP        -1

    C:\>ping lmj
    Ping request could not find host lmj. Please check the name and try again.


    Pinging with 32 bytes of data:

    Reply from bytes=32 time=3ms TTL=128
    Reply from bytes=32 time=2ms TTL=128
    Reply from bytes=32 time=2ms TTL=128
    Reply from bytes=32 time=2ms TTL=128

    Net is a network feeding out to the internet, this worksta in on that network and come back thro 213.121.*.* ( pix) and joins the testbed domain.  I have tried this from a different dsl link and get the same response.

    Author Comment

    went live with this on the domain last night some sales-guys we contacted were having problems with DNS will let you know how we got on.

    Author Comment

    OK we still had some problems but played around with the LMHOSTS file as suggested by lrmoore and managed to get the VPN to see the network!!  thanks very much for your help.  As I have already stated this is my first time, how do the points get awrded to lrmoore?
    LVL 79

    Accepted Solution

    Simply use the "accept" button on the appropriate comment, then you will be give a change to assign a grade.



    Author Comment


    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now