Solved

Windows 7 machines have internet but not Windows XP machines

Posted on 2013-11-11
16
288 Views
Last Modified: 2013-11-26
I have a Cisco ASA 5505 that connects an office of 10 phones and 10 PC's to the main office via VPN. The phones work fine but only one PC has internet and that is the Windows 7 machine. None of the Windows XP machines can ping outside of the local default gateway.
I remoted into the W7 machine and took off IPv6 and it lost internet. When I added IPv6 back, it could get on the net. I added IPv6 to a Windows XP machine but still no internet.

LAN:
Network- 192.168.31.0/24
DG- 192.168.31.1
DNS-  resolves to ISP

Please let me know if you need anything else.
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 5
16 Comments
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639191
Are your windows xp machines setup for DHCP or for static ip addresses? Two is your ASA running your dhcp and is it enabled/configured? Depending on your setup you may have to set your access point to bridge mode if you're using NAT setup.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39639201
@MHMAdmins

Windows XP machines are set up for DHCP, and so is the Windows 7 machine.

ASA is running DHCP and it is working/enabled/configured.
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639210
Are your machines getting a valid ip address if you run ipconfig? test the loop back address by pinging 127.0.0.1 to make sure it's not the NIC. On the windows machines you may have to specify the gateway/DNS in the TCP/IP v4 settings.
0
Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

 
LVL 5

Author Comment

by:Paul Wagner
ID: 39639220
Yes. All machines are getting a DHCP address from the ASA.
Can I specify those settings in the ASA?
Some of these machines get taken home at the end of the day by the user.


Note: Windows 7 machine gets IPv6 addresses for DNS server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639221
How many user licenses do you have?  If for example you have 10 licenses, the 11th PC to connect would be allowed LAN and VPN access, but not Internet.  Sometimes licenses get used up by guest devices such as laptops and phones.  Rebooting the router will reset the counter.

As I recall the default configuration of the 5505 blocks out going pings.  Try a web site by IP to verify it's not a DNS issue, such as google  http://74.125.226.144

>>"Some of these machines get taken home at the end of the day by the user."
Try rebooting the machine.  XP doesn't always release the DHCP IP configuration from another network when disconnected,
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639239
You may have to run ipconfig /flushdns on those endpoints if they are taken home, they may still be using dns cache from the other accesspoints.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39639265
@ RobWill

..... -___-

You're telling me that the 10 license limitation is for individual devices to get internet access? I was told it was a VPN access limitation.

The machines have been rebooted and have had ipconfig /renew done on them.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39639267
ipconfig /flushdns already done.
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639273
Can you turn IPv6 off on the ASA and only have it send out IPV4 addresses? On the xp machines if you can ping and get address but no internet, go into IE properties, then connections tab, LAN settings and make sure automatically detect settings is selected and not using proxy. Then try to browse the internet.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639293
>>"You're telling me that the 10 license limitation is for individual devices to get internet access? I was told it was a VPN access limitation"
Yes.

User (Internet access) licenses are available in 10, 50, and unlimited, and priced accordingly.
There are also VPN licenses which are completely independent.
0
 
LVL 9

Expert Comment

by:MHMAdmins
ID: 39639303
internet licenses shouldn't have anything to do with it if you are using a NAT setup. This is why NAT was invented as the world is running out of IPV4 addresses to dole out.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39639363
Sorry, many NAT routers have license limitations for Internet access. Cisco ASA 5505 is one, as do Watchguard, Juniper, and more.  As mentioned the Cisco is available with:

Model ASA5505-BUN-K9 10 users
Model ASA5505-50-BUN-K9  50 users
Model  asa5505-ul-bun-k9  unlimited users

VPN licenses are independent and have different limits.  One site to site VPN license allows unlimited users to connect to the remote site but I believe all are limited to 10 tunnels.
Detailed specs:  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html

As each device connects it records the MAC address, registers it, and when the limit is reached no other device can connect to the Internet.  Licensing is not concurrent users so shutting down one device does not allow another.  To reset the counter you need to reboot the router.

This is a common issue, however odd that it would be broken into XP and win 7 unless a coincidence.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39639390
@RobWill

I think you might be right. I've requested a larger license and hope to get that soon. I'll let you know.

What about the VPN license? I have a single site to site vpn set up. Will I be ok there?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639461
Yes VPN access should be fine.  Even the basic unit comes with 10 VPN licenses that can be used for any combination of site-to-site tunnels and mobile software VPN users.  As mentioned any number of people can use one site-to-site tunnel.  So long as you don't have more than 9 simultaneous mobile VPN users, you should have no problem.   I suspect if you do have any mobile VPN clients they would be connecting to the main site not the site we are discussing, and have no impact.

>>"I've requested a larger license and hope to get that soon. "
You could test by disconnecting many or all users, reboot the router, and try one XP machine.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39639483
I noticed that the DHCP scope on the ASA only lets me go from a .2 address to a .32.

ex: 192.168.1.2-192.168.1.32

Is that due to the license restrictions as well?
I've purchased the 10-50 user license and am waiting for it. I imagine I should be able to increase the scope at that time.  ...?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39639492
Correct.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question