VPN connects, cannot ping servers or see domain

Hello,
  I am a consultant working with a small business client that wants me to be able to support their servers remotely, and I'd like to use a VPN connection and a Remote Desktop Connection.  I am connecting from home via winXP laptop -> Linksys 4-port switch -> DSL modem -> internet -> DSL Modem -> Cisco PIX 506

 I appear to connect successfully on the VPN, but I am unable to ping anything other than the outside IP address (vpn address).  I cannot ping server names, or by server IP addresses.  Cannot browse the network, nor connect to any mapped network  drives.

 My home IP setup is 192.168.2.X as to be different than the office setup (I did read other posts and this was the first thing I tried).  XP firewall is disabled, and I added the domain server's IP address (192.168.1.5) and server name to my windows\system32\drivers\etc\hosts file.

VPN client -> Transparent Tunneling is Enabled for IPSec over UDP (NAT/PAT), Local LAN Access is enabled.  

I've forwarded for the laptop's IP address  ports 3389, 4500, and 500 on my home linksys router for both TCP and UDP.

I feel like I'm not getting to the domain server -  I'm wondering if the domain on the PIX is correct - the domain on the DNS server is company.com, but on the PIX its company.local.

I'm also wondering if the ip local pool vpnpool 10.1.1.1-10.1.1.254  
is in error for
access-list mylink_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

The PIX config is below.  I apologize if I included too much, but I'm not sure many of the entries are truely necessary.

Any help is greatly appreciated - I've been grinding away a lot of time on this issue without success.  Thanks!!

PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
hostname pix01
domain-name company.local
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.100 sys-admin-it
name 192.168.1.30 VAC
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp host WBS host xxx.xxx.xxx.163 eq www
access-list outside_access_in permit tcp host WBS host xxx.xxx.xxx.163 eq 3011
access-list outside_access_in permit udp host WBS host xxx.xxx.xxx.163 eq www
access-list outside_access_in remark VNC access to the admin system
access-list outside_access_in remark VNC access to the admin system
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.1.0 255.255.255.0
access-list mylink_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 2xx.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name DEFEND attack action alarm drop reset
ip audit name REPORT info action alarm
ip audit interface outside REPORT
ip audit interface outside DEFEND
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2151 disable
ip local pool vpnpool 10.1.1.1-10.1.1.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) xxx.xxx.xxx.162 192.168.1.87 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.163 VAC netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server xxx.xxx.xxx.xxx source outside
http server enable      
http 192.168.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto commands (edited out)
isakmp enable outside
isakmp identity address
isakmp keepalive 30 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup mylink address-pool vpnpool
vpngroup mylink dns-server 192.168.1.5
vpngroup mylink wins-server 192.168.1.5
vpngroup mylink default-domain company.com
vpngroup mylink split-tunnel mylink_splitTunnelAcl
vpngroup mylink split-dns company.com
vpngroup mylink idle-time 1800
vpngroup mylink password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh xx.xxx.xxx.xxx 255.255.255.248 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
username (edited out)
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxx
pix01#

skywalke34Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

calvinetterCommented:
Glancing over your config (minus the crypto commands of course), it seems ok.

I'm betting it's the Linksys router - I've had a couple of run-ins with Linksys routers that either wouldn't allow a tunnel to be created to the PIX endpoint, or not being able to pass traffic through the tunnel.  Seems that Linksys routers often aren't NAT<->VPN friendly.

>I'm also wondering if the ip local pool vpnpool 10.1.1.1-10.1.1.254  
>is in error for
>access-list mylink_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

Normally I explicitly put the IP range of the VPN pool in the access list - you could try this, just as a test, but I doubt it'll work.

Since I don't see your crypto commands, I assume your transform-set parameters match the isakmp policy - ie,  encryption 3des & hash md5.  (Also be aware that the 3.6.x Cisco client doesn't support SHA as the hash.)
lrmooreCommented:
>access-list mylink_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
This should be:

access-list mylink_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Additionally, is your home LAN also 192.168.1.x by any chance?



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
>My home IP setup is 192.168.2.X as to be different than the office setup
D'oh... getting more coffee.... should read question more carefully....
skywalke34Author Commented:
Shows how much I know..  (I thought hiding the crypto was necessary)  :)  The crypto config is below
sysopt connection permit-ipsec      
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside

I'm going to try the access-list change first and test, and then get explicit set the ip range.  Thx
skywalke34Author Commented:
The access-list change seems to have fixed the problem for my associate - I will test from my home tonight to confirm and will post my results.  Thx!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.