• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 362
  • Last Modified:

Using Windows 2000 with Cisco VPN Client

I am having trouble connecting my laptop with Windows 2000 through a Cisco PIX to our VPN server.  

Depending on my connection (often, a hotel) it seems to work fine.  However, from home I cannot connect.

What is odd is I get the VPN log in and I get the padlock in the corner, showing a successful connection.

My Local Area Connection 3 lights up with the VPN IP address and DNS in the properties.  IPCONFIG /ALL confirms it.

When I start Outlook, it prompts for my username and password, just like I'm connected at work.  It usually times out once, whan I hit retry it connects (when it's working properly)  However, from home, it sits there and continues to time out.

I cannot ping the server, either by name or by IP address.  When I look at my active ports program, I notice the UDP ports 137, 138, 139 show my VPN address but no path.  Port 4500 is listed, but has for the address.

MY I.T. guy and I were trying to troubleshoot today.  His laptop has XP Pro and it connects up like a champ.  The only thing I have not tried is to try his laptop at my home connection.  

Does this sound like a Win2000 thing, a configuration/firewall problem at home, or is there anything that the VPN server has to be configured for, in order for Win2000 to operate reliably, different than a a client with XP?

It's as if I am connected but cannot resolve anything.  Do I just need to bite the bullet and give Bill more $$ for XP?

Thanks in advance!

George Nicholas
  • 4
  • 2
2 Solutions
Rob WilliamsCommented:
Trying his laptop at your site is an excellent test as it will verify if it is your connection or your computer. If you have a router at home it would be performing NAT (Network Address Translation) there was an update affecting that, you may want to have a look at. However, if your Windows updates have been kept current this or a subsequent update would have addressed this. Also if it is the problem, it should occur in more places than just home. Have a look anyway:

One other thought, what make and model router and or modem do you have at home ? If an option, you might want to enable "IPSec pass-through". Also some older routers do not support IPSec VPN traffic, though I would be surprised you would get the "lock" if this were the case.
gnicholasAuthor Commented:
Rob -
I have a Cisco 675 DSL modem with Qwest, and chances are the needed port(s) are not open.  I am saying that up front because I know incoming VNC (server) doesn't work, although I can use Ultra VNC viewer just fine.  The Cisco feeds a LinkSys wireless router and I believe the security is set to pass through.  I -can- get into the server from home using RDC.  Today, as part of our test, we walked outside with our laptops (both Dell Latitude) and got on someone's unsecure wireless connection.  The XP computer connected fine, mine did not.   This symptom acts like a firewall is enabled, but my 2000 machine does not use any firewalls that I am aware of.  We've disabled NAV and tried it again.  

Any idea what ports Cisco VPN Client uses?  Also, speaking of the client, is there a compatibility problem with version and Win2K?

Rob WilliamsCommented:
At home you have:
Internet => Linksys => laptop ?
A few things;
1) I forgot to mention earlier, the office network and the home network need to be on different subnets. If the office is using 192.168.0.x then home must use something like 192.168.1.x Any chance these two sites are the same
2) Port forwarding is only required for incoming connections such as you mentioned for VNC. Outgoing connections do not require opening or forwarding ports. Unless....someone has manually and intentionally, installed filters to block outgoing connections. However, on some routers IPSec pass through needs to be enabled.
3) VPN's do not like connecting through 2 NAT devices (Network Address Translation). Both the local Cisco and the Linksys would perform NAT. Try configuring your connection so you are using one or the other.
4) Some versions or Norton Anti-virus have a feature called something like Internet Worm Protection. This somehow can block VPN's. Disabling NAV sometimes doesn't fix it. You need to uninstall or disable that feature. Other NAV features seem to be OK, unless you have a NAV suite that includes a firewall.
5) Does your laptop work anywhere else. Perhaps the client or service is not installed or running properly. One thing to check, after starting the VPN client, in the services management console, does the IPSec service show as started?
6) according to 2 University sites I found the client is compatible with W2K
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

gnicholasAuthor Commented:
Rob - My setup at home is internet=>Cisco 675=>Linksys wireless=>Laptop.

Just for grins, I moved my laptop to the front of the house and logged into my neighbor's wireless connection.  I know about theirs because we are good friends and I helped them set it up.  They have a cable connection feeding a Linksys wireless.  The firewall says it's on, but the VPN passthrough is enabled.  Anyway, no workee through theirs, either.  I'm beginning to wonder if it's something in my account on the server.  
As to the subnets, mine at home is and the office VPN is 10.10.90.XX.
I'll try disabling the worm blocking.
I'll check on the IPSec.

Thanks Rob, I'll report back.


George Nicholas
Rob WilliamsCommented:
-George if you are good friends with the neighbor, see if you can connect by wire to his router. I have had a few issues from time to time with VPN's and wireless. Though it usually works, it seems like there is a conflict on occasion between the VPN encryption and the wireless encryption. That being said I have never had that problem with the Cisco client, only others.
-As for 2 NAT devices mentioned earlier, I just clued in, the Cisco 675 is a DSL modem not a typical network router, so that should not be an issue.
-Are your Windows patches/update up to date as mentioned earlier?

Let me know how you make out.
Suggest using 4.8 and when connected (well, when it says connected), go to command prompt and get an output of 'route print' and post it here. I'm not sure about what might turn in but lets check that out. IPSEC passthrough will not be a problem since you are able to connect.

Rob WilliamsCommented:
Thanks gnicholas,

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now