Cisco PIX501 DHCP Problems

We are using a Cisco PIX501 in a 30+ user environment with SBS2003.

SBS2003 is the DNS server and the PIX is the DHCP server.

Problem we're having, which started about a week ago, is that when a client computer gets their address through DHCP they cannot ping the internal IP of the PIX and therefore cannot access the internet. The settings they get via the DHCP server are all set ok.

What I've noticed:
If I manually assign the IP address to the comp using the same address I've gotten via DHCP the problem is still there. If I assign a static address that's not the same and quite a bit higher (but still within the DHCP Pool) then I can ping the PIX and get WAN connection fine.

I.E. won't work but will work and the DHCP Pool is -

Any ideas?  Nothing inside the PIX looked unusual (logs, firewall settings, etc.)... I did unplug the PIX to reboot as well as refreshed config settings.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you post the running config for the pix501. I've got the same pix device and never had any problems. I believe though that the pix can only issue 50 DHCP addresses. (maybe that was an earlier version of the fireware but i think mine would only give out 50 DHCP addresses.

Heres a couple of things to check:
Are they any access points or wireless routers that could be handing out DHCP and screwing up your DHCP from the pix? I've had this happen before especially when using cheap linksys wireless routers, a power outage has reset some of them before and they would end up giving out DHCP

Also might want to look into allowing SBS'03 to give out DHCP instead of the Pix. Sometimes thats easier to configure, especially if you don't have Cisco config experience. Really depends on your skill level.

Also could be a subnetting problem. Unlikely but make sure the IP addresses are in the correct subnet and there isnt some werid subnetting going on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I would move your DHCP to the server and remove it from the PiX.  SBS DHCP options offer you more options for DHCP and helps to better integrate with DNS on the server.  It will take less then 15 minutes to implement and I am sure you will be happy you did.
TercestisiAuthor Commented:
Thanks for the insights guys.

I am admittedly a little green in the Cisco arena, VPN IPSec policies specifically.

I see from looking in the pix that there is an IPSec rule that is likely causing the problem (from GUI):
#1 protect ip inside:dynamic-20
#1 protect outside:any ip inside:dynamic-20

The is remote office network and the are addresses on our network and are part of the - DHCP address pool.

Those internal addresses in the IPSec rules show a range of - which happens to be the addresses that do not work if assigned via DHCP. Can someone explain what these rules mean and that the IPSec Rules in general mean? I Googled but didn't find much that really explains what is going on here.
TercestisiAuthor Commented:
Oh, and I will take into strong consideration the moving of the DHCP server role to SBS03.

I'm just curious as to what those rules mean?  A previous admin set those up with a sister company and I'm not familiar enough with site-to-site IPSec protected VPN tunnels.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.