I am still having a problem with VPN however. The Cisco PIX is the gateway to a LAN which is 192.168.16.x
The Cisco VPN is configured to give VPN clients an address on the 192.168.17.x subnet.
2 problems:
1) when i connect via VPN, i get a 192.168.17.x address, but can't ping 192.168.16.2 (mail) so i can't access shared resources or exchange.
2) when i connect with the 'users' group, it never asks for my actual VPN credentials - could this be the problem?
I noticed that the pix doesn't have an interface in the 192.168.16.x subnet. Is the pix this subnets default gateway? The default gateway for the 192.168.16 sunet needs to know that in order to get back to the 192.168.17 subnet it needs to route to the pix.
The reason this is failing however is most likely due to your split tunnel ACL being wrong however:-
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list split_T permit ip 192.168.20.0 255.255.255.0 192.168.17.0 255.255.255.0
This is the wrong way round, i.e. it should read:-
access-list split_T permit ip 192.168.17.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list split_T permit ip 192.168.17.0 255.255.255.0 192.168.20.0 255.255.255.0
It is not asking for a username and password as you have not configured the group for xauth.
Currently you have a group 'username' and password only. What happens if one of your staff members leaves? XAuth is used to add user based authentication in addition to the group credentials. If you are having more then one person use the VPN, then yes you really do want it... Chances are you'll regret it later.
If Magnus prior answer answered your query on this, then be nice, give him the points and open a new query. Just because he answered it quickly and precisely doesn't mean it wasn't a great job!
There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.
The reason this is failing however is most likely due to your split tunnel ACL being wrong however:-
access-list split_T permit ip 192.168.16.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list split_T permit ip 192.168.20.0 255.255.255.0 192.168.17.0 255.255.255.0
This is the wrong way round, i.e. it should read:-
access-list split_T permit ip 192.168.17.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list split_T permit ip 192.168.17.0 255.255.255.0 192.168.20.0 255.255.255.0
It is not asking for a username and password as you have not configured the group for xauth.