terminal services (Can't ping IP)

[cyberfreek]

Hello. Can someone please help.

I am working on a small network with a PIX501 configured with VPN, windows 2000 server and 5 windows XP workstations.

Once I have established a VPN connection, I can remotely access all computers via remote desktop but can not access the server. I can ping the addresses of each of the desktops (192.168.2.30-34 but cannot ping the address of the server (192.168.2.2). Very strange. And this all worked fine before but unfortunately, I do not know if anything has changed, nor does the customer. Please note that I am able to ping the server's address internaly.

Any thoughts would be much appreciated.

 

[ChicagoTechNet]

make sure no firewall running on the LAN connection. also check if you disable ping on the server.

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[cyberfreek]

ChicagoTechNet

I'll look into the LAN firewall. Even if ping was turned off, I should be able to access the server right. That is not happening.

 

[rzs0502]

ChicagoTechNet may be right.
The firewall could be activated when the dial-up occurs blocking access to ICMP and the servers File & Print Services.
(I think it's port 137, 138, 139)

 

[cyberfreek]

rzs0502

I totaly agree. I don't think this is the case because I can ping the other machines with no problem.

 

[cyberfreek]

OK. I looked at the internal network and did not find a ISA server configured. The server is a Small Business 2000 server. The odd thing is when I connect via the pix vpn, I can ping the ips of the workstations but not the server. I am so stumped and can use your help. Any more ideas?

 

[jrwizzard]

If the server is on a hardware DMZ, you may not be able to access it with a VPN due to security settings.

 

[cyberfreek]

jrwizzard

There is no DMZ. Basically the network consists of 1 px501 configured for VPN protecting 5 xp workstations plus a SBS 2000 server. Once I establish a VPN connection, I can ping any of the workstations and remotely access the PCs but not able to ping the server nor terminal service into it.

ISA server doesn't look its installed so I am confused. Sometimes I think its related to the pix but why am I able to talk to the other workstaions.

 

[Skeezur]

What does the PIX config look like?

 

[cyberfreek]

skeezur

Here you go. I appreciate you help.

Cyberfreek

 

[cyberfreek]

Oops. Sorry. My hands were moving too fast. Here is the config.

Result of PIX command: "sh config"

: Saved
:
PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
name 192.168.2.14 ?????
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit gre any any
access-list 100 permit tcp any host x.x.x.138 eq smtp
access-list 100 permit tcp any host x.x.x.138 eq domain
access-list 100 permit tcp any host x.x.x.138 eq www
access-list 100 permit udp any host x.x.x.138 eq domain
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_out0 permit gre any any
pager lines 24
logging on
logging buffered errors
logging trap notifications
logging history notifications
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.137 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.0.0.1-10.0.0.5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.140-x.x.x.141
global (outside) 1 interface
global (outside) 1 x.x.x.139
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.2.2 67.119.89.138 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.138 192.168.2.2 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.142 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set xxx esp-3des esp-md5-hmac
crypto map xxx 1 ipsec-isakmp
crypto map xxx 1 match address 101
crypto map xxx 1 set peer x.x.x.17
crypto map xxx 1 set transform-set tm1
crypto map xxx interface outside
isakmp enable outside
isakmp key ******** address x.x.x4.17 netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxxxx password xxxxxxxx
vpdn enable outside
dhcpd address 192.168.2.20-192.168.2.30 inside
dhcpd dns 192.168.2.2 206.13.31.12
dhcpd wins 192.168.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80