Cisco Pix 501 VPN connection trouble-shooting

ACL need adjustment?

Not a very detailed response, I know -- sorry about that!

The client is running Windows 2003 server????

ah you Customer is running Windows 2003 server...

My first thing I would check

you are logging into a domain..
make sure you are getting the ip.. mask...  default gateway for the
network you are logging into...

if you get authorized.. but have your ip configured wrong
you will have the problem you are describing

.....Right.....  So this would be the first connection I setup as I normally stick with everything inside the building (servers, switches, etc..).  To pick this project up in the middle and not know what he did/didn't setup on the cisco pix is probably not the best part to start on.  ; )

When I tried to set this up using Windows VPN, I know we had to create a rras server.  Once I found the Cisco software, I abandoned the Windows idea.  

Why would an ACL issue prevent me from pinging the servers at the remote site?  Perhaps I don't understand enough about it to ask the right questions.

I see it relates to WINS not being setup.

Why would I not be able to ping any of those servers?  I ran ipconfig and see that I have an IP from the Cisco Pix.

Maybe I don't understand your setup (very likely.)

You have  Cisco software client installed, connecting to a PIX that is at a client site, and once connected, you can't communicate over the VPN on any port (right?)

I was wondering of the PIX isn't permitting the traffic.

"I was able to find the Cisco VPN client software and make a connection."

tells me your vpn is working fine

"Can't ping anything on the remote network"

tells me your ip is not in the same xxx.xxx.xxx.
range as the vpn you are logging into

okay what is the ipconfig on the primary domain controller
of the network you are logging into???

and what is the ipconfig on the vpn network connection?

Thanks for sticking in there with me.

During the research of the Cisco Pix, I saw where the person couldn't ping anything by name at the remote site and it related to not having a Wins server setup.  So, I tried pinging one of the servers by IP and it failed <pervious post>.  During one of my breaks, the VPN client timed out and disconnected because now that I have reconnected, it is working.  I shouldn't be working on it so late.  ; )

I guess next I will need to do the WINS thing.

DC is 192.168.1.2 and cisco is handing out 192.168.20.x ip's.  I can ping by ip and connect with rdp by ip.  Bummer the former support guys didn't setup a Wins server.  Stupid Flanders...

Well.....  This gives me something to think about and read.  I'm glad you posted that as I would have assumed otherwise.  I will begin looking at the info later in the morning and post any questions I have from it.  Thanks for the post!

No worries

You have to make sure you setup the VPN using a different IP subnet than the internal network, and that you use nat_zero to bypass nat between the inside network and the vpn client subnet, and you have to make sure you enable nat-traversal, and you have to make sure you enable split tunneling.

If you can post your PIX config, I'm sure we can get you the exact commands you need to make it work.

; )  Thanks lrmoore.

Working on it getting you the info now.

I can't remember how I got the router into config mode.  I have it at mppix# now.

Is
>configure terminal
correct?

mppix#config term
mppix(config)#

Ok.  Let's try this.  
pixconfig.txt

Wahoo!  That is music to my ears.

I will make those changes now.  I suppose that I need to be in config mode to do these and type them just as you have them?

Yes, just type them in exactly as they are from the config mode

Perfect.  They were all accepted (no error messages).  I am testing now!

Isn't split tunneling great!!!

You should be good to go now with those commands

Testing is forth-coming.

I have to say this was a very humbling experience.  I never pretend to be a wiz when it comes to IT and feel more comfortable with servers and small/medium sized networking.  What you experts have done with this question has taught me a lot and I appreciate it more then anything.  Thanks again for all of your time and patience!  I know I can ask some dumb questions especially when it comes to an area that I don't know as well as you.

Seriously not a dumb question, there are no dumb quesitons.

I appreciate that.  ; )

Last night I was able to install and setup the VPN clients for the customer.  All three computers were able to make remote connections.  There were a couple of "gotcha's" (one of the pc's at the customer's house received the ip 192.168.1.2 from the wireless router and as luck would have it, the server at the remote site had the ip 192.168.1.2).  After a quick change on the dhcp scope on the wireless router to begin at 192.168.1.10 and did the release/renew, things went a little smoother.

The only issue I couldn't resolve relates to the vpn connection giving the customer the DNS server as 192.168.1.1 where I need it to be 192.168.1.2.  If someone could help me with this part, I would appreciate it.  I will close out ticket and award points once I resolve this last part.

Score lrmoore.

Running it now.

Finally.  Project complete.  Now to put all of the documents I have (including this question being printed to a PDF) into the knowledge base.  

I can't thank you all enough.  Without you, I wouldn't have been able to complete this.  I also learned a lot more about VPN's and Cisco which is a major bonus.  I am working on the points now and will close out the question.

Take care!!

Regards,
Aaron

if anyone can help out....  thanks!

https://www.experts-exchange.com/questions/24056565/Enable-ftp-port-on-cisco-pix.html