Windows 7 machines have internet but not Windows XP machines

I have a Cisco ASA 5505 that connects an office of 10 phones and 10 PC's to the main office via VPN. The phones work fine but only one PC has internet and that is the Windows 7 machine. None of the Windows XP machines can ping outside of the local default gateway.
I remoted into the W7 machine and took off IPv6 and it lost internet. When I added IPv6 back, it could get on the net. I added IPv6 to a Windows XP machine but still no internet.

LAN:
Network- 192.168.31.0/24
DG- 192.168.31.1
DNS-  resolves to ISP

Please let me know if you need anything else.
LVL 5
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
Sorry, many NAT routers have license limitations for Internet access. Cisco ASA 5505 is one, as do Watchguard, Juniper, and more.  As mentioned the Cisco is available with:

Model ASA5505-BUN-K9 10 users
Model ASA5505-50-BUN-K9  50 users
Model  asa5505-ul-bun-k9  unlimited users

VPN licenses are independent and have different limits.  One site to site VPN license allows unlimited users to connect to the remote site but I believe all are limited to 10 tunnels.
Detailed specs:  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html

As each device connects it records the MAC address, registers it, and when the limit is reached no other device can connect to the Internet.  Licensing is not concurrent users so shutting down one device does not allow another.  To reset the counter you need to reboot the router.

This is a common issue, however odd that it would be broken into XP and win 7 unless a coincidence.
0
 
MHMAdminsCommented:
Are your windows xp machines setup for DHCP or for static ip addresses? Two is your ASA running your dhcp and is it enabled/configured? Depending on your setup you may have to set your access point to bridge mode if you're using NAT setup.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
@MHMAdmins

Windows XP machines are set up for DHCP, and so is the Windows 7 machine.

ASA is running DHCP and it is working/enabled/configured.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
MHMAdminsCommented:
Are your machines getting a valid ip address if you run ipconfig? test the loop back address by pinging 127.0.0.1 to make sure it's not the NIC. On the windows machines you may have to specify the gateway/DNS in the TCP/IP v4 settings.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Yes. All machines are getting a DHCP address from the ASA.
Can I specify those settings in the ASA?
Some of these machines get taken home at the end of the day by the user.


Note: Windows 7 machine gets IPv6 addresses for DNS server.
0
 
Rob WilliamsCommented:
How many user licenses do you have?  If for example you have 10 licenses, the 11th PC to connect would be allowed LAN and VPN access, but not Internet.  Sometimes licenses get used up by guest devices such as laptops and phones.  Rebooting the router will reset the counter.

As I recall the default configuration of the 5505 blocks out going pings.  Try a web site by IP to verify it's not a DNS issue, such as google  http://74.125.226.144

>>"Some of these machines get taken home at the end of the day by the user."
Try rebooting the machine.  XP doesn't always release the DHCP IP configuration from another network when disconnected,
0
 
MHMAdminsCommented:
You may have to run ipconfig /flushdns on those endpoints if they are taken home, they may still be using dns cache from the other accesspoints.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
@ RobWill

..... -___-

You're telling me that the 10 license limitation is for individual devices to get internet access? I was told it was a VPN access limitation.

The machines have been rebooted and have had ipconfig /renew done on them.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
ipconfig /flushdns already done.
0
 
MHMAdminsCommented:
Can you turn IPv6 off on the ASA and only have it send out IPV4 addresses? On the xp machines if you can ping and get address but no internet, go into IE properties, then connections tab, LAN settings and make sure automatically detect settings is selected and not using proxy. Then try to browse the internet.
0
 
Rob WilliamsCommented:
>>"You're telling me that the 10 license limitation is for individual devices to get internet access? I was told it was a VPN access limitation"
Yes.

User (Internet access) licenses are available in 10, 50, and unlimited, and priced accordingly.
There are also VPN licenses which are completely independent.
0
 
MHMAdminsCommented:
internet licenses shouldn't have anything to do with it if you are using a NAT setup. This is why NAT was invented as the world is running out of IPV4 addresses to dole out.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
@RobWill

I think you might be right. I've requested a larger license and hope to get that soon. I'll let you know.

What about the VPN license? I have a single site to site vpn set up. Will I be ok there?
0
 
Rob WilliamsCommented:
Yes VPN access should be fine.  Even the basic unit comes with 10 VPN licenses that can be used for any combination of site-to-site tunnels and mobile software VPN users.  As mentioned any number of people can use one site-to-site tunnel.  So long as you don't have more than 9 simultaneous mobile VPN users, you should have no problem.   I suspect if you do have any mobile VPN clients they would be connecting to the main site not the site we are discussing, and have no impact.

>>"I've requested a larger license and hope to get that soon. "
You could test by disconnecting many or all users, reboot the router, and try one XP machine.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I noticed that the DHCP scope on the ASA only lets me go from a .2 address to a .32.

ex: 192.168.1.2-192.168.1.32

Is that due to the license restrictions as well?
I've purchased the 10-50 user license and am waiting for it. I imagine I should be able to increase the scope at that time.  ...?
0
 
Rob WilliamsCommented:
Correct.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.