cisco PIX 501 VPN clients can't ping external net when connected

hi all,
I have a Cisco PIX 501 at an office that users connect to when they're at home.  They are all using the Microsoft VPN client/software built-in to Windows XP Pro.
I went through the setup wizard on the PIX 501 to setup client VPN access; everything seemed to go smoothly.
When clients are connected via VPN to the PIX, everyone can access internal network resources (computer, printers, servers, etc.) just fine.  However, they can't browse the Internet or do anything externally.  After they disconnect the from VPN, Internet works fine again.

When I went through the setup wizard on the PIX, it asked for DNS servers to assign to the clients; I entered the same thing that I assign the computers inside the LAN--
DNS 1: (Win Small Biz Server 2003/domain controller)
DNS 2: (ISP's DNS server)

If you need more info on the setup, just let me know.  any help is appreciated!! Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hi there

I dont' have a pptp client to test this on but if you go into the properties of the pptp client -
click on the networking tab
click on TCP/IP and click properties
Click on advanced
Untick the  "Use default gateway on remote network" checkbox

This should send all your reachable traffic from your client out the internet connection and leave all tunnelled traffic over the tunnel.
Its kind of a "poor mans split-tunnelling"

On that note - if you have CCO - I would definetly recommend using Cisco VPN client over pptp anyday.  Not only for the IPSec security, but because you can deploy the client and have greater control over it on the pix - ie split tunnelling access-lists.  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wotechAuthor Commented:
works like a charm!

theoretically, though, shouldn't I be able to route traffic through the remote gateway?
<<theoretically, though, shouldn't I be able to route traffic through the remote gateway?

No - a PIX will not redirect traffic out an interface it originated from.  In this case the pptp traffic comes in on the outside interface - and if you wanted to go the internet, it would have to back out the outside interface.  The pix will not allow this.

Glad you got working!
wotechAuthor Commented:
cool, thx for the info

have some points!
welcome bro

thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.