Using Windows 2000 with Cisco VPN Client

Posted on 2006-05-22
Last Modified: 2010-04-12
I am having trouble connecting my laptop with Windows 2000 through a Cisco PIX to our VPN server.  

Depending on my connection (often, a hotel) it seems to work fine.  However, from home I cannot connect.

What is odd is I get the VPN log in and I get the padlock in the corner, showing a successful connection.

My Local Area Connection 3 lights up with the VPN IP address and DNS in the properties.  IPCONFIG /ALL confirms it.

When I start Outlook, it prompts for my username and password, just like I'm connected at work.  It usually times out once, whan I hit retry it connects (when it's working properly)  However, from home, it sits there and continues to time out.

I cannot ping the server, either by name or by IP address.  When I look at my active ports program, I notice the UDP ports 137, 138, 139 show my VPN address but no path.  Port 4500 is listed, but has for the address.

MY I.T. guy and I were trying to troubleshoot today.  His laptop has XP Pro and it connects up like a champ.  The only thing I have not tried is to try his laptop at my home connection.  

Does this sound like a Win2000 thing, a configuration/firewall problem at home, or is there anything that the VPN server has to be configured for, in order for Win2000 to operate reliably, different than a a client with XP?

It's as if I am connected but cannot resolve anything.  Do I just need to bite the bullet and give Bill more $$ for XP?

Thanks in advance!

George Nicholas
Question by:gnicholas
    LVL 77

    Expert Comment

    by:Rob Williams
    Trying his laptop at your site is an excellent test as it will verify if it is your connection or your computer. If you have a router at home it would be performing NAT (Network Address Translation) there was an update affecting that, you may want to have a look at. However, if your Windows updates have been kept current this or a subsequent update would have addressed this. Also if it is the problem, it should occur in more places than just home. Have a look anyway:

    One other thought, what make and model router and or modem do you have at home ? If an option, you might want to enable "IPSec pass-through". Also some older routers do not support IPSec VPN traffic, though I would be surprised you would get the "lock" if this were the case.

    Author Comment

    Rob -
    I have a Cisco 675 DSL modem with Qwest, and chances are the needed port(s) are not open.  I am saying that up front because I know incoming VNC (server) doesn't work, although I can use Ultra VNC viewer just fine.  The Cisco feeds a LinkSys wireless router and I believe the security is set to pass through.  I -can- get into the server from home using RDC.  Today, as part of our test, we walked outside with our laptops (both Dell Latitude) and got on someone's unsecure wireless connection.  The XP computer connected fine, mine did not.   This symptom acts like a firewall is enabled, but my 2000 machine does not use any firewalls that I am aware of.  We've disabled NAV and tried it again.  

    Any idea what ports Cisco VPN Client uses?  Also, speaking of the client, is there a compatibility problem with version and Win2K?

    LVL 77

    Accepted Solution

    At home you have:
    Internet => Linksys => laptop ?
    A few things;
    1) I forgot to mention earlier, the office network and the home network need to be on different subnets. If the office is using 192.168.0.x then home must use something like 192.168.1.x Any chance these two sites are the same
    2) Port forwarding is only required for incoming connections such as you mentioned for VNC. Outgoing connections do not require opening or forwarding ports. Unless....someone has manually and intentionally, installed filters to block outgoing connections. However, on some routers IPSec pass through needs to be enabled.
    3) VPN's do not like connecting through 2 NAT devices (Network Address Translation). Both the local Cisco and the Linksys would perform NAT. Try configuring your connection so you are using one or the other.
    4) Some versions or Norton Anti-virus have a feature called something like Internet Worm Protection. This somehow can block VPN's. Disabling NAV sometimes doesn't fix it. You need to uninstall or disable that feature. Other NAV features seem to be OK, unless you have a NAV suite that includes a firewall.
    5) Does your laptop work anywhere else. Perhaps the client or service is not installed or running properly. One thing to check, after starting the VPN client, in the services management console, does the IPSec service show as started?
    6) according to 2 University sites I found the client is compatible with W2K

    Author Comment

    Rob - My setup at home is internet=>Cisco 675=>Linksys wireless=>Laptop.

    Just for grins, I moved my laptop to the front of the house and logged into my neighbor's wireless connection.  I know about theirs because we are good friends and I helped them set it up.  They have a cable connection feeding a Linksys wireless.  The firewall says it's on, but the VPN passthrough is enabled.  Anyway, no workee through theirs, either.  I'm beginning to wonder if it's something in my account on the server.  
    As to the subnets, mine at home is and the office VPN is 10.10.90.XX.
    I'll try disabling the worm blocking.
    I'll check on the IPSec.

    Thanks Rob, I'll report back.


    George Nicholas
    LVL 77

    Expert Comment

    by:Rob Williams
    -George if you are good friends with the neighbor, see if you can connect by wire to his router. I have had a few issues from time to time with VPN's and wireless. Though it usually works, it seems like there is a conflict on occasion between the VPN encryption and the wireless encryption. That being said I have never had that problem with the Cisco client, only others.
    -As for 2 NAT devices mentioned earlier, I just clued in, the Cisco 675 is a DSL modem not a typical network router, so that should not be an issue.
    -Are your Windows patches/update up to date as mentioned earlier?

    Let me know how you make out.
    LVL 32

    Assisted Solution

    Suggest using 4.8 and when connected (well, when it says connected), go to command prompt and get an output of 'route print' and post it here. I'm not sure about what might turn in but lets check that out. IPSEC passthrough will not be a problem since you are able to connect.

    LVL 77

    Expert Comment

    by:Rob Williams
    Thanks gnicholas,

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now