pix 501 and win 2000 sever cannot see network

Posted on 2004-11-03
Medium Priority
Last Modified: 2010-04-12
OK, first time so bear with me.

I think the pix config is OK. I can vpn to the win2000 server and get authorisation on the network.  I have checked the log for IAS and has picked up the login.  Im running PPTP and used 'show vpdn' and all looks fine. I can ping the server and a worksta but thats it!!

Don't know if this is the right place for this question but I've been working on this for an age and have can to the end of my experience. This is my pix config if it will help.

PIX Version 6.3(1)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password 8Ry2YjIyt7RRXU24 encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname pi          
domain-name ciscopix.com                        
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
access-list inside_outbound_nat0_acl permit ip any                                                                              
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 213.121.*.*                                                  
ip address inside                                            
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool mypool                                              
pdm location inside                                                
pdm location outside                                                
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0 0                                  
route outside 213.121.*.* 1                                              
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa-server alan protocol radius                              
aaa-server alan (inside) host alan timeout 10                                                          
http server enable                  
http inside                                      
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local mypool
vpdn group PPTP-VPDN-GROUP client authentication aaa alan
vpdn group PPTP-VPDN-GROUP client accounting alan
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end
Question by:alanhp
  • 8
  • 6
LVL 79

Expert Comment

ID: 12487633
Try changing this:
   >access-list inside_outbound_nat0_acl permit ip any

to this:
    access-list inside_outbound_nat0_acl permit ip any


Author Comment

ID: 12491600
yes done that and no luck. I also added permit protocol pptp 1723 and directed the dnc to the server and still no luck. I have removed these lines now.

When i go to my network places to view the network I get network not accessable contact administrator.

Author Comment

ID: 12492628
Yup, got over this, changed client-vendor protocol from Radius standard to microsoft in IAS.  I can see my computer on the Network but no other, even when I search.  I seems that I am not going past the IAS?
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 79

Expert Comment

ID: 12492830
Can you ping anything on the LAN by IP address?
Yes? Do you have WINS server?
           No? Try an LMHOSTS file on the client PC.
No, can't ping? We'll keep trying other things...
LVL 79

Expert Comment

ID: 12493005
Try this LMHOSTS article. All you should need is the server's IP and the domain entry. You don't need every system in your file.

How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

Author Comment

ID: 12493437
can ping server and worksta on LAN by IP.  Do not have a WINS server and have used LMHOSTS on client PC, checked by using nbtsat -c

no luck in seeing the network, an information entry is in the event viewer stating the user was granted access
LVL 79

Expert Comment

ID: 12493483
If the client PC is in a workgroup, try chaning that workgroup to be the same name as the domain. Can you ping the server by name?

Author Comment

ID: 12493797
client workgroup name is the same as the domain but I cannot ping by name.
LVL 79

Expert Comment

ID: 12493887
>checked by using nbtsat -c
So you get the correct name and IP address in the cache, but still can't ping by name? That only makes sense if you have the wrong IP address in the LMHOSTS file.
Did you follow all the explicit rules for the LMHOSTS file?
Is your PC XP? Be sure to explicitly enable Netbios over TCP/IP
Enable NetBios over TCP/IP in WIndows XP

   Click Start, click Control Panel
   Click Network Connections.
   Right-click "Local Area Connection", and then click "Properties".
   Click on (highlight) "Internet Protocol (TCP/IP)", and then click "Properties" button
   Click the General tab, and then click "Advanced" button , bottom right.
   Click the WINS tab.
   Under "NetBIOS setting" section, click Enable NetBIOS over TCP/IP, and then click OK two times, the "close".
     ( ) Default
     (*) Enable NetBios
     ( ) Disable NetBios

   Reboot the computer.

Author Comment

ID: 12494367
Yes done all that and tried another worksta as a remote.  I'm not sure if this is not a DNS problem on the server

Local Area Connection:
Node IpAddress: [] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    NET            <00>  UNIQUE         502
    NET            <20>  UNIQUE         502
    TESTBED        <1C>  GROUP        -1
    TESTBED        <03>  UNIQUE       -1
    TESTBED        <00>  UNIQUE       -1
    TESTBED        <20>  UNIQUE       -1

Node IpAddress: [] Scope Id: []

                  NetBIOS Remote Cache Name Table

        Name              Type       Host Address    Life [sec]
    TESTBED        <1C>  GROUP        -1

C:\>ping lmj
Ping request could not find host lmj. Please check the name and try again.


Pinging with 32 bytes of data:

Reply from bytes=32 time=3ms TTL=128
Reply from bytes=32 time=2ms TTL=128
Reply from bytes=32 time=2ms TTL=128
Reply from bytes=32 time=2ms TTL=128

Net is a network feeding out to the internet, this worksta in on that network and come back thro 213.121.*.* ( pix) and joins the testbed domain.  I have tried this from a different dsl link and get the same response.

Author Comment

ID: 12501536
went live with this on the domain last night some sales-guys we contacted were having problems with DNS will let you know how we got on.

Author Comment

ID: 12579580
OK we still had some problems but played around with the LMHOSTS file as suggested by lrmoore and managed to get the VPN to see the network!!  thanks very much for your help.  As I have already stated this is my first time, how do the points get awrded to lrmoore?
LVL 79

Accepted Solution

lrmoore earned 1500 total points
ID: 12579645
Simply use the "accept" button on the appropriate comment, then you will be give a change to assign a grade.



Author Comment

ID: 12579750

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question