fimbulvetr
IS-IT--Management
Hello all, my first time at posting, and this seems like a very knowledgeable group. Hopefully I will be able to describe my situation so you can discern my problem.
I have a Cisco Pix 515 at work. I have the typical external IP address with the typical internal addresses-192.168.0.x .
At home, I connect to the DSL and have my own little Lan as it may be classified.
At home I have 1 Linux box (RH6.2) running the Cisco VPN Client for Linux, ver 3.5.1(new as of last week).
Also, on this Linux box, I run IP MASQ (NAT) for my 3 internal machines. This subnet can be classified as 172.16.1.x
My PIX gives my linux box an address for the client of 172.32.1.5
The pix and entire 192.168.0.x subnet see all 3 of my boxes as 172.32.1.5, because of the NATting my linux box does.
This works great, except when getting on the internet.
I can connect to the internet and surf just fine, it's just that right when I fire up IE there is an exactly 15 second pause between the white IE screen to when it pulls up google.
During this 15 seconds, ethereal(packet sniffer) has shown me there are exactly 2 packets that go out, both of them headed towards my PDC containg SMB logon requests. Each are, obviously 7.5 seconds apart down to 1/1000 of a second.
My theory is this:
Most of us know/can guess that Windows 2000 does not have the same logon procedures as NT4. They use the same methods but if Windows 2000 cannot find a PDC/BDC at logon, it simply contiues to log you in with cached credentials.(This sucks when you have users with supposedly locked out accounts, there is a MSKB on it). NT4, however, is glad to tell you there is no PDC and you will be logged on with cached credentials, and never cares again.
My theory is with my logons cached, everytime I connect to the internet, W2k tries again to authenticate me prior to allow IE to access externally.
Ive search relentlessly to shut this off, but it still does not work.
When W2k sends these two packets out, they are hard coded with my internal address, IE 172.16.1.2 .
Since my PDC sees me as 172.32.1.5, it doesn't know who to contact to tell me I've been authenticated.
I've even tried to use the same subnet the pix gives me ie 172.32.1.6 and even from the pix, I can ping 172.32.1.5 but not 172.32.1.6
Since the PIX is the default gateway for my internel 192.168.0.x lan, I would think it would be as easy as setting up a route, but not quite.
See you have to have a intereface or IP address to setup a route.
My pix hands out 172.32.1.x but doesnt see himself as a 172.32.1.x in any situation. Nor does it see a real or virtual interface to 172.32.1.x from itself.
Any suggestions?
Thanks
fim
I have a Cisco Pix 515 at work. I have the typical external IP address with the typical internal addresses-192.168.0.x .
At home, I connect to the DSL and have my own little Lan as it may be classified.
At home I have 1 Linux box (RH6.2) running the Cisco VPN Client for Linux, ver 3.5.1(new as of last week).
Also, on this Linux box, I run IP MASQ (NAT) for my 3 internal machines. This subnet can be classified as 172.16.1.x
My PIX gives my linux box an address for the client of 172.32.1.5
The pix and entire 192.168.0.x subnet see all 3 of my boxes as 172.32.1.5, because of the NATting my linux box does.
This works great, except when getting on the internet.
I can connect to the internet and surf just fine, it's just that right when I fire up IE there is an exactly 15 second pause between the white IE screen to when it pulls up google.
During this 15 seconds, ethereal(packet sniffer) has shown me there are exactly 2 packets that go out, both of them headed towards my PDC containg SMB logon requests. Each are, obviously 7.5 seconds apart down to 1/1000 of a second.
My theory is this:
Most of us know/can guess that Windows 2000 does not have the same logon procedures as NT4. They use the same methods but if Windows 2000 cannot find a PDC/BDC at logon, it simply contiues to log you in with cached credentials.(This sucks when you have users with supposedly locked out accounts, there is a MSKB on it). NT4, however, is glad to tell you there is no PDC and you will be logged on with cached credentials, and never cares again.
My theory is with my logons cached, everytime I connect to the internet, W2k tries again to authenticate me prior to allow IE to access externally.
Ive search relentlessly to shut this off, but it still does not work.
When W2k sends these two packets out, they are hard coded with my internal address, IE 172.16.1.2 .
Since my PDC sees me as 172.32.1.5, it doesn't know who to contact to tell me I've been authenticated.
I've even tried to use the same subnet the pix gives me ie 172.32.1.6 and even from the pix, I can ping 172.32.1.5 but not 172.32.1.6
Since the PIX is the default gateway for my internel 192.168.0.x lan, I would think it would be as easy as setting up a route, but not quite.
See you have to have a intereface or IP address to setup a route.
My pix hands out 172.32.1.x but doesnt see himself as a 172.32.1.x in any situation. Nor does it see a real or virtual interface to 172.32.1.x from itself.
Any suggestions?
Thanks
fim