pix simple vpn connectivity

I have a pix 506e set up at the HQ that is fully operational.  I have a pix 501 set up at another location for "simple" site to site vpn.  The connection is established and I can ping the servers at the HQ.  I'm able to map the network shared drives.  Remote users using the Cisco VPN client have full connectivity.

The problem is Outlook won't connect to the Exchange server.  As a novice with routing I'm unsure what all needs to be set to establish connectivity through the VPN and the pix501.  Below is the config for the 501

Any help is greatly appreciated, looking to have this working by Monday morning for production.

Thank you
adipix2(config)# sh conf
: Saved
: Written by enable_15 at 03:34:04.800 UTC Sun Jun 28 2009
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ........encrypted
passwd ......... encrypted
hostname adipix2
domain-name adi.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq www
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 15
console timeout 0
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 68.115.71.53 24.196.64.53
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
vpnclient server x.x.x.x
vpnclient mode client-mode
vpnclient vpngroup "changed" password ********
vpnclient enable
terminal width 80
Cryptochecksum:....
adipix2(config)#

Open in new window

fi3cAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

asavenerCommented:
Can the client ping the Exchange server by name?
0
asavenerCommented:
I should explain:  I don't think the problem is necessarily with the VPN.  It could be routing on the Exchange server or name resolution.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asavenerCommented:
Also, what made you decide on client-mode rather than network extension mode?  
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

fi3cAuthor Commented:
I can ping the server by IP,  not by server name.

I choose client mode by default from the previous settings before were forced to move the network because of flooding.  Is there any advantages from client mode to network extension?  I'm still a novice in the networking field.  (actually in college now for NSA)

I am open to advice on this setup.  We are basically swapping the HQ with one of the remote offices.  The new HQ is in place and functional.  

Unsure if this makes a difference or not but the HQ is on 192.168.0.  and the remote office is on 192.168.1.  
0
fi3cAuthor Commented:
If it's useful I can access the 506e to post a config detail.

regards
0
asavenerCommented:
I think Outlook requires name resolution to work.

For a quick fix, try adding the Exchange server to your hosts file; this will tell you if the problem is name resolution or not.

Once we know that, we can troubleshoot the name resolution problem.
0
fi3cAuthor Commented:
I've added the host file to my local machine with no luck.  Just to clarify adding host files in:

C:\Windows\System32\drivers\etc\hosts

added the line:   192.168.0.250 servername    (edited)

I've also remote desktop another terminal inside the main network to check ping to name and it worked.  

Just to add a more history to the relocation of the network.  The server and 506e all moved to the new location at the same time.  The only thing that was changed on the 506e is the static outside IP addressing.  Nothing was changed on the server.
0
lrmooreCommented:
>dhcpd dns 68.115.71.53 24.196.64.53
Given that you are using public DNS servers, you should be giving the clients the local server IP for DNS, enable DNS on that server, and make sure it forwards requests to the primary/secondary dns servers in HQ.
You could try a LMHOSTS file with 3 entries.
1 for the domain
1 for a domain controller
1 for the exchange server
http://support.microsoft.com/kb/314108
0
fi3cAuthor Commented:
Is it possible to put the DNS addy in the pix to avoid having clients use static addressing?
0
fi3cAuthor Commented:
It's a small network, one server hosts most services DNS, Exchange, WINS...  I dropped the IP for the exchange server in the WINS and DNS again as static and it connected....  wohoo  Before It did I had to reload them both on the server for some reason.

Thank you for the infos gents.  I know I should start a new thread for this, but is there a simple was to copy setting from one Pix501 to another?>

Regards,

fi3c
0
fi3cAuthor Commented:
Thank you for the direction fellas.  It was enough to firgure out the rest on my own.  

Much appreciated.

fi3c
0
lrmooreCommented:
Just change the dhcpd dns entry on the PIX to give clients the private IP of the DNS server instead of the public dns servers.
To copy from one pix to another is simple. Copy the text from the config on one to a notepad file, then copy/paste the exact config you want into the other PIX at the command prompt.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.