An interesting idea here... And bear in mind I haven't tried using my PIX
as a DHCP server yet...
BUT.... You only have a maximum of 10 IPs you can use for a DHCP pool. You
are assigning them to the same netmask as your inside interface (I assume
this, the docs don't say anything one way or the other, just stating the IPs
must be in the "same subnet" as the inside interface)...
So:
#1, check the ipconfig of your workstations, make sure the netmask is /24 as
your inside interface...
#2, you are offering specific translation for 10.1.1.255, which is where the
Windows stations are going to attempt to do local broadcast stuff to.
Therefore, those packets will never leave your network.
On a router (like the 3620) you can do an ip helper address. I would be
interested in what your 3620 config looks like. I don't believe that PAT
translating the broadcasts is supported (though I could be wrong on that).
Have you tried the LMHOSTS approach?
Scott
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jim Bond
Sent: Sunday, December 10, 2000 6:18 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: last try: tough VPN question
Hello,
Let me re-describe the situation:
Central office 7100 router, site office PIX (NAT
overload 1 public ip address), IPSec tunnel is
establised, clients at site office can't logon NT
domain but can do everthing else.
Today, I replaced the PIX with a 3620 router (same
IPSec setup), everything works fine. Clients can logon
NT domain.
I think that proves 1)I don't have naming issue 2) PAT
works with IPSec. I don't understand why PIX wouldn't
work. Please see my PIX config.
Thanks in advance.
Jim
PIX Version 5.2(3)
access-list 100 permit ip host 24.176.210.204
167.191.0.0 255.255.0.0
ip address outside 24.176.210.204 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 24.176.210.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set IPSEC esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer 169.193.13.2
crypto map newmap 10 set transform-set IPSEC
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 169.193.13.2 netmask
255.255.255.255
isakmp identity hostname
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
dhcpd address 10.1.1.101-10.1.1.110 inside
dhcpd dns 24.1.64.33 24.1.64.34
dhcpd wins 169.193.28.60 169.193.148.25
dhcpd lease 3600
dhcpd domain dhcp.lamrc.com
dhcpd enable inside
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
_______________________________________________________
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
