I have a Cisco PIX firewall at the main office, in front of an XP Pro file server. The VPN connection from the remote site connects ok, and I can ping the file server ip, but can't browse its network shares. How can this be done?

I noticed that the IP configuration the client is assigned by the vpn has a 32-bit subnet, whereas the host network has a 24-bit sub. That's gotta be the problem - how do I resolve it by telling the PIX to give VPN clients 24-bit subnets?

You're confused....they're all 32 bit addresses. A zero in any octet is still an 8 bit binary number (ie: 000000000) If you did have two different subnets on the client/server you wouldn't be able to connect at all. By that I mean, you wouldn't be able to ping your file server. I'm willing to bet that since you're using XP and not server software on your "server" that you have to create a user account for your remote connection on the XP machine using the exact username/password used to log onto the client at bootup. Once you have the account created, try connecting remotely and see if you can't access the shares.

What is the VPN endpoint - the PIX or the XP system. I'm assuming it's the PIX. Curt R - subnet masks determine how many bits in the IP address are the subnet address, and how many bits are the host address. Therefore, he is right in what he's saying. He's saying basically the subnet mask is 255.255.255.255 on the client making all bits in its ip address as the subnet address when his network is actually a class C network with a subnet mask of 255.255.255.0. Translation - if his client's IP address is 192.168.0.10, his computer thinks its network address is the 192.168.0.10 (32 bits) when it should think it's network address is 192.168.0.0. (the 10 part is his host address part, therefore the network address is 24 bits). Therefore, the client is sending all traffic other than to itself to it's default gateway address on the VPN connection. Sorry, but I haven't gotten my hands on a PIX to know how to do this, but if you buy me one, I'll figure it out! :-P When all the land is in ruin, and burnination has forsaken the countryside, only one guy will remain. My money is on.... TROOOOOOGDOOOOOOOOOOOOOOOOR!

Curt R - You are right though in that it is interesting he can ping said server and can't connect to the shares if the subnet mask is wrong. That's a bit baffling. Questions I need answered... 1. Can you ping the file server by host name as well as ip address? 2. What are you using for name resolution - DNS or NetBios broadcasting? WINS? 3. Can you access the shares using an IP address instead of a hostname? 4. When you say you can't browse the shares, can you see the computers by name? When all the land is in ruin, and burnination has forsaken the countryside, only one guy will remain. My money is on.... TROOOOOOGDOOOOOOOOOOOOOOOOR!