Re: Still doesn't work: tough VPN question
Pinging does not verify name resolution for WINS. Ping will resolve a name using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping drives, etc. Try this link on Cisco's website for help with coordinating your NT domain with your network layout: http://www.cisco.com/warp/public/473/winnt_dg.htm It covers WINS and things like that. Ben "Jim Bond" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > Thank you guys for the help. Unfortunately, I tried to > put LMHOST file, still doesn't work. We use WINS and I > can ping domain controller using name so I don't think > it's naming issue. > > I used a sniffer captured some data, client is sending > logon request to domain controller but didn't get any > response. Looks like PIX blocks it. How do I open > it(port 137, 138, 139)? > > Thanks in advance. > > > Jim > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > Your problem is likely the propgation of > > broadcasts... Or lack thereof. > > One thing you can do (I'm assuming you have a router > > before (LAN-side) the > > PIX) is set up an ip-helper address to forward > > UDP-level broadcasts (like > > 138/139 Netbios) to the NT server. > > > > The other thing you can do is bypass that broadcast > > thought process by using > > LMHosts files on the workstations at the branch > > office. That will pre-load > > (if you use the #PRE designation) the NetBIOS cache > > and give you IP > > addresses to go to. So if you have IP reachability, > > things will work just > > fine then. > > > > In LMHOSTS. : > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > if domain controller) > > > > Also, to refresh without rebooting the PCs, "nbtstat > > -R" > > > > Hope this helps! > > > > Scott > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > Jim Bond > > Sent: Thursday, December 07, 2000 1:19 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: tough VPN question > > > > > > Hello, > > > > I'm trying to set up a IPSec between a PIX (branch > > office) and router (central office). All PCs at > > branch > > office share 1 ip address. IPSec seems to be working > > fine because clients can ping/telnet/email/map > > drives > > from/to central office. The problem is they can't > > logon NT domain. They can ping domain controller > > though. > > > > Any idea why they can't log on NT domain? (The > > machines were already added to domain) > > > > Thanks in advance. > > > > > > Jim > > > > __ > > Do You Yahoo!? > > Yahoo! Shopping - Thousands of Stores. Millions of > > Products. > > http://shopping.yahoo.com/ > > > > > ___ > > To unsubscribe from the CCIELAB list, send a message > > to > > [EMAIL PROTECTED] with the body containing: > > unsubscribe ccielab > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > __ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Still doesn't work: tough VPN question
Yes, WINS resolves NetBIOS names to IP addresses, but only for Windows networking functions. It is not used for ping, ftp, telnet, etc. It is used for name resolution with relation to file sharing, domain traffic, etc. The order in which a Windows box will try to resolve a DNS name (what happens when you ping): Host file DNS Cache WINS Broadcast LMHosts The order in which a Windows box will try to resolve a NetBIOS name: Cache WINS Broadcast LMHosts Hosts DNS (of course you can modify the NetBIOS node type and change this) ""Frank Wells"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > Name resolution is exactly what WINS does! It maps Netbios names to IP > addresses. Windows clients resolve names to IP addresses using a number of > criterion, and depending on what kind of node they are (H;B;P;M)the order > that they search services and files differ. They certainly do not need DNS > to resolve IP addresses, although it would be an inprovement over their > native methods. > > Take a look at RFC's 1001/1002 for deeper insight. > > BTW, RPC's are used for mapping drives etc. > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Still doesn't work: tough VPN question > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > >Pinging does not verify name resolution for WINS. Ping will resolve a name > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping > >drives, etc. > > > >Try this link on Cisco's website for help with coordinating your NT domain > >with your network layout: > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > >It covers WINS and things like that. > > > >Ben > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hello, > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > put LMHOST file, still doesn't work. We use WINS and I > > > can ping domain controller using name so I don't think > > > it's naming issue. > > > > > > I used a sniffer captured some data, client is sending > > > logon request to domain controller but didn't get any > > > response. Looks like PIX blocks it. How do I open > > > it(port 137, 138, 139)? > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > Your problem is likely the propgation of > > > > broadcasts... Or lack thereof. > > > > One thing you can do (I'm assuming you have a router > > > > before (LAN-side) the > > > > PIX) is set up an ip-helper address to forward > > > > UDP-level broadcasts (like > > > > 138/139 Netbios) to the NT server. > > > > > > > > The other thing you can do is bypass that broadcast > > > > thought process by using > > > > LMHosts files on the workstations at the branch > > > > office. That will pre-load > > > > (if you use the #PRE designation) the NetBIOS cache > > > > and give you IP > > > > addresses to go to. So if you have IP reachability, > > > > things will work just > > > > fine then. > > > > > > > > In LMHOSTS. : > > > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > > if domain controller) > > > > > > > > Also, to refresh without rebooting the PCs, "nbtstat > > > > -R" > > > > > > > > Hope this helps! > > > > > > > > Scott > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > > Jim Bond > > > > Sent: Thursday, December 07, 2000 1:19 AM > > > > To: [EMAIL PROTECTED] > > > > Cc: [EMAIL PROTECTED] > > > > Subject: tough VPN question > > > > > > > > > > > > Hello, > > > > > > > > I'm trying to set up a IPSec between a PIX (branch > > > > office) and router (central office). All PCs at > > > > branch > > > > office share 1 ip address. IPSec seems to be working > > > > fine because clients can ping/telnet/email/map > > > > drives > > >
Re: Still doesn't work: tough VPN question
Jim, here is a link to an MS KB article outlining the requirements for domain traffic over a firewall. Open these ports on the firewall to pass the domain traffic. Here's what happens: a client comes up and broadcasts for an available DC. This also happens over TCP/IP, even if TCP/IP is the only network protocol installed. When the DC receives the broadcast, it will respond to the client in kind. If the DC happens to reside on a different subnet than does the client, then some help is needed. This is where WINS/LMHOSTS comes into play. Not only do these services provide name resolution, but more importantly, they point to the location of critical services on an MS network. That's why the authentication process can be made to work with these services, but most likely not without them as the broadcast DC request will not cross a router by default. PING, on the other hand, does not have this same limitation as it's not a broadcast. BTW, PING has nothing to do with either DNS or WINS. DNS/WINS provides a service (name resolution) for the PING process to use, but the client "decides" which form of resolution to use first and then uses the other in case the first service used fails. Just make sure you open the proper netbios ports per this link, your clients have the WINS settings and that your domain controllers are registered with WINS, which happens automagically provided there is a WINS address(es) in the TCP/IP properties on the DCs. Otherwise, as Scott Morris stated in a previous reply, an entry in the LMHOSTS file will work so long as you include the #PRE and #DOM tags with the appropriate address of the DC. Of course, you could use the IP-helper address also as Scott stated. http://support.microsoft.com/support/kb/articles/Q179/4/42.asp Good luck! --- Rik Guyler , This mail was processed by Mail essentials for Exchange/SMTP, the email security & management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Still doesn't work: tough VPN question
Absolutely. It just makes a difference what order Windows uses to resolve. Ping, telnet, etc will try to resolve a DNS as a DNS name. If it fails at this, it will use WINS/LMHosts. So, yes you can 'telnet netbiosname' If you just type in 'ping bob', Windows will tack on 'yourdomain.com' and try to resolve it using DNS. So, you are likely just resolving this with DNS. However, if your DNS host name and your NetBIOS name are different, then you will use WINS to resolve this. So, using ping will not verfiy that WINS is working, unless you use a NetBIOS name that is not also a DNS name. If the NetBIOS name and the DNS host name are the same, your computer could resolve that name with DNS. So, you will not verify that WINS is working by pinging something where the NetBIOS name is the same as the DNS host name. Ben "Joseph Ezerski" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I beg to disagree with you. I can certainly telnet, ftp and ping to any > NETBios name on my network. > > > > -Original Message- > From: Benjamin Walling [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 08, 2000 9:21 AM > To: [EMAIL PROTECTED] > Subject: Re: Still doesn't work: tough VPN question > > > Yes, WINS resolves NetBIOS names to IP addresses, but only for Windows > networking functions. It is not used for ping, ftp, telnet, etc. It is > used for name resolution with relation to file sharing, domain traffic, etc. > > The order in which a Windows box will try to resolve a DNS name (what > happens when you ping): > Host file > DNS > Cache > WINS > Broadcast > LMHosts > > The order in which a Windows box will try to resolve a NetBIOS name: > Cache > WINS > Broadcast > LMHosts > Hosts > DNS > (of course you can modify the NetBIOS node type and change this) > > ""Frank Wells"" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED]... > > Name resolution is exactly what WINS does! It maps Netbios names to IP > > addresses. Windows clients resolve names to IP addresses using a number > of > > criterion, and depending on what kind of node they are (H;B;P;M)the order > > that they search services and files differ. They certainly do not need > DNS > > to resolve IP addresses, although it would be an inprovement over their > > native methods. > > > > Take a look at RFC's 1001/1002 for deeper insight. > > > > BTW, RPC's are used for mapping drives etc. > > > > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: Re: Still doesn't work: tough VPN question > > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > > > >Pinging does not verify name resolution for WINS. Ping will resolve a > name > > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for > mapping > > >drives, etc. > > > > > >Try this link on Cisco's website for help with coordinating your NT > domain > > >with your network layout: > > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > > > >It covers WINS and things like that. > > > > > >Ben > > > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hello, > > > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > > put LMHOST file, still doesn't work. We use WINS and I > > > > can ping domain controller using name so I don't think > > > > it's naming issue. > > > > > > > > I used a sniffer captured some data, client is sending > > > > logon request to domain controller but didn't get any > > > > response. Looks like PIX blocks it. How do I open > > > > it(port 137, 138, 139)? > > > > > > > > Thanks in advance. > > > > > > > > > > > > Jim > > > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > > Your problem is likely the propgation of > > > > > broadcasts... Or lack thereof. > > > > > One thing you can do (I'm assuming you have a router > > > > > before (LAN-side) the > > > > > PIX) is set up an ip-helper address to forward > > > > > UDP-level broadcasts (like > > > > > 138/139 Netbios) to the NT
Re: Still doesn't work: tough VPN question
> The way you have written makes it sound as if I did not have DNS and I > did a ping, telnet, or ftp by name that it would not work, and that is > not the case. That is not what I intended. If you do a ping, it is not a test of whether WINS is working because there are other ways to resolve a name that Windows will use. You can 'ping hostname' and get a response when you do not have WINS working. You can also 'ping hostname' when you do not have DNS working. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Still doesn't work: tough VPN question
WINS is not used for ping, ftp or telnet, but then neither is DNS. WINS is used to resolve netbios names to IP addresses. DNS is used to resolve host names to IP addresses. If you are implying that when you do a Telnet, Ping or FTP by name that it will not use WINS to resolve the name to an IP address then you are incorrect. Whether it uses DNS or WINS, or a broadcast or LMHosts and in what order is dependant on the node type setting, and configuration. Usually if you are on a LAN using WINS and your machine node type is set to do a DNS lookup first, the name is still resolved by WINS, as the Microsoft box does not wait for an explicit timeout from DNS to look at WINS for a resolution. Therefore your name would probably still get resolved by WINS even if you had a similiar alias in DNS for the same name. You can verify all this by starting with the Q172218 doc at microsoft and working your way down, or just get a sniffer and watch. I prefer the sniffer method as it is much more reliable. The way you have written makes it sound as if I did not have DNS and I did a ping, telnet, or ftp by name that it would not work, and that is not the case. -Original Message- From: Benjamin Walling [mailto:[EMAIL PROTECTED]] Sent: Friday, December 08, 2000 12:21 PM To: [EMAIL PROTECTED] Subject: Re: Still doesn't work: tough VPN question Yes, WINS resolves NetBIOS names to IP addresses, but only for Windows networking functions. It is not used for ping, ftp, telnet, etc. It is used for name resolution with relation to file sharing, domain traffic, etc. The order in which a Windows box will try to resolve a DNS name (what happens when you ping): Host file DNS Cache WINS Broadcast LMHosts The order in which a Windows box will try to resolve a NetBIOS name: Cache WINS Broadcast LMHosts Hosts DNS (of course you can modify the NetBIOS node type and change this) ""Frank Wells"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > Name resolution is exactly what WINS does! It maps Netbios names to IP > addresses. Windows clients resolve names to IP addresses using a number of > criterion, and depending on what kind of node they are (H;B;P;M)the order > that they search services and files differ. They certainly do not need DNS > to resolve IP addresses, although it would be an inprovement over their > native methods. > > Take a look at RFC's 1001/1002 for deeper insight. > > BTW, RPC's are used for mapping drives etc. > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Still doesn't work: tough VPN question > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > >Pinging does not verify name resolution for WINS. Ping will resolve a name > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping > >drives, etc. > > > >Try this link on Cisco's website for help with coordinating your NT domain > >with your network layout: > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > >It covers WINS and things like that. > > > >Ben > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hello, > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > put LMHOST file, still doesn't work. We use WINS and I > > > can ping domain controller using name so I don't think > > > it's naming issue. > > > > > > I used a sniffer captured some data, client is sending > > > logon request to domain controller but didn't get any > > > response. Looks like PIX blocks it. How do I open > > > it(port 137, 138, 139)? > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > Your problem is likely the propgation of > > > > broadcasts... Or lack thereof. > > > > One thing you can do (I'm assuming you have a router > > > > before (LAN-side) the > > > > PIX) is set up an ip-helper address to forward > > > > UDP-level broadcasts (like > > > > 138/139 Netbios) to the NT server. > > > > > > > > The other thing you can do is bypass that broadcast > > > > thought process by using > > > > LMHosts files on the workstations at the branch > > > > office. That will pre-load > > > > (if you use the #PRE designation) the NetBIOS cache > > > > and give you IP > > > > addresses to
RE: Still doesn't work: tough VPN question
Are you doing NAT 0 between sites so that everyone get's to use the real IP's and not the NAT'ed ones? Are all the domain controllers, WINS boxes etc. in the access-list defining what get's encrypted? If you are setting up a VPN based on IP's only then you do not need to define what ports get opened and what not you simply need to define what traffic is encrypted based on source and destination. Are your access-lists mirrored? -Original Message- From: Jim Bond [mailto:[EMAIL PROTECTED]] Sent: Friday, December 08, 2000 12:30 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Still doesn't work: tough VPN question Hello, Thank you guys for the help. Unfortunately, I tried to put LMHOST file, still doesn't work. We use WINS and I can ping domain controller using name so I don't think it's naming issue. I used a sniffer captured some data, client is sending logon request to domain controller but didn't get any response. Looks like PIX blocks it. How do I open it(port 137, 138, 139)? Thanks in advance. Jim --- Scott Morris <[EMAIL PROTECTED]> wrote: > Your problem is likely the propgation of > broadcasts... Or lack thereof. > One thing you can do (I'm assuming you have a router > before (LAN-side) the > PIX) is set up an ip-helper address to forward > UDP-level broadcasts (like > 138/139 Netbios) to the NT server. > > The other thing you can do is bypass that broadcast > thought process by using > LMHosts files on the workstations at the branch > office. That will pre-load > (if you use the #PRE designation) the NetBIOS cache > and give you IP > addresses to go to. So if you have IP reachability, > things will work just > fine then. > > In LMHOSTS. : > > (ip address) (Netbios name) #PRE #DOM:(domain name > if domain controller) > > Also, to refresh without rebooting the PCs, "nbtstat > -R" > > Hope this helps! > > Scott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Jim Bond > Sent: Thursday, December 07, 2000 1:19 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: tough VPN question > > > Hello, > > I'm trying to set up a IPSec between a PIX (branch > office) and router (central office). All PCs at > branch > office share 1 ip address. IPSec seems to be working > fine because clients can ping/telnet/email/map > drives > from/to central office. The problem is they can't > logon NT domain. They can ping domain controller > though. > > Any idea why they can't log on NT domain? (The > machines were already added to domain) > > Thanks in advance. > > > Jim > > __ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of > Products. > http://shopping.yahoo.com/ > > ___ > To unsubscribe from the CCIELAB list, send a message > to > [EMAIL PROTECTED] with the body containing: > unsubscribe ccielab > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Still doesn't work: tough VPN question
A better way to see if WINS (or lmhosts) is working is to use the nbtstat command. use: nbtstat -a <> will try to resolve the name and give info use: nbtstat -A <> will give the info if the statioin is reachable. Kevin Wigle * * * * * * * * Absolutely. It just makes a difference what order Windows uses to resolve. Ping, telnet, etc will try to resolve a DNS as a DNS name. If it fails at this, it will use WINS/LMHosts. So, yes you can 'telnet netbiosname' If you just type in 'ping bob', Windows will tack on 'yourdomain.com' and try to resolve it using DNS. So, you are likely just resolving this with DNS. However, if your DNS host name and your NetBIOS name are different, then you will use WINS to resolve this. So, using ping will not verfiy that WINS is working, unless you use a NetBIOS name that is not also a DNS name. If the NetBIOS name and the DNS host name are the same, your computer could resolve that name with DNS. So, you will not verify that WINS is working by pinging something where the NetBIOS name is the same as the DNS host name. Ben "Joseph Ezerski" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I beg to disagree with you. I can certainly telnet, ftp and ping to any > NETBios name on my network. > > > > -Original Message- > From: Benjamin Walling [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 08, 2000 9:21 AM > To: [EMAIL PROTECTED] > Subject: Re: Still doesn't work: tough VPN question > > > Yes, WINS resolves NetBIOS names to IP addresses, but only for Windows > networking functions. It is not used for ping, ftp, telnet, etc. It is > used for name resolution with relation to file sharing, domain traffic, etc. > > The order in which a Windows box will try to resolve a DNS name (what > happens when you ping): > Host file > DNS > Cache > WINS > Broadcast > LMHosts > > The order in which a Windows box will try to resolve a NetBIOS name: > Cache > WINS > Broadcast > LMHosts > Hosts > DNS > (of course you can modify the NetBIOS node type and change this) > > ""Frank Wells"" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED]... > > Name resolution is exactly what WINS does! It maps Netbios names to IP > > addresses. Windows clients resolve names to IP addresses using a number > of > > criterion, and depending on what kind of node they are (H;B;P;M)the order > > that they search services and files differ. They certainly do not need > DNS > > to resolve IP addresses, although it would be an inprovement over their > > native methods. > > > > Take a look at RFC's 1001/1002 for deeper insight. > > > > BTW, RPC's are used for mapping drives etc. > > > > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: Re: Still doesn't work: tough VPN question > > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > > > >Pinging does not verify name resolution for WINS. Ping will resolve a > name > > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for > mapping > > >drives, etc. > > > > > >Try this link on Cisco's website for help with coordinating your NT > domain > > >with your network layout: > > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > > > >It covers WINS and things like that. > > > > > >Ben > > > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Hello, > > > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > > put LMHOST file, still doesn't work. We use WINS and I > > > > can ping domain controller using name so I don't think > > > > it's naming issue. > > > > > > > > I used a sniffer captured some data, client is sending > > > > logon request to domain controller but didn't get any > > > > response. Looks like PIX blocks it. How do I open > > > > it(port 137, 138, 139)? > > > > > > > > Thanks in advance. > > > > > > > > > > > > Jim > > > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > > Your problem is likely the propgation of > > > > > broadcasts... Or lack thereof. > > > > > One thing you can
Re: Still doesn't work: tough VPN question
How about getting a test machine and running nbtstats to test the WINS resolution? >>>Brian >From: "Benjamin Walling" <[EMAIL PROTECTED]> >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Still doesn't work: tough VPN question >Date: Fri, 8 Dec 2000 08:27:04 -0500 > >Pinging does not verify name resolution for WINS. Ping will resolve a name >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping >drives, etc. > >Try this link on Cisco's website for help with coordinating your NT domain >with your network layout: >http://www.cisco.com/warp/public/473/winnt_dg.htm > >It covers WINS and things like that. > >Ben > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello, > > > > Thank you guys for the help. Unfortunately, I tried to > > put LMHOST file, still doesn't work. We use WINS and I > > can ping domain controller using name so I don't think > > it's naming issue. > > > > I used a sniffer captured some data, client is sending > > logon request to domain controller but didn't get any > > response. Looks like PIX blocks it. How do I open > > it(port 137, 138, 139)? > > > > Thanks in advance. > > > > > > Jim > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > Your problem is likely the propgation of > > > broadcasts... Or lack thereof. > > > One thing you can do (I'm assuming you have a router > > > before (LAN-side) the > > > PIX) is set up an ip-helper address to forward > > > UDP-level broadcasts (like > > > 138/139 Netbios) to the NT server. > > > > > > The other thing you can do is bypass that broadcast > > > thought process by using > > > LMHosts files on the workstations at the branch > > > office. That will pre-load > > > (if you use the #PRE designation) the NetBIOS cache > > > and give you IP > > > addresses to go to. So if you have IP reachability, > > > things will work just > > > fine then. > > > > > > In LMHOSTS. : > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > if domain controller) > > > > > > Also, to refresh without rebooting the PCs, "nbtstat > > > -R" > > > > > > Hope this helps! > > > > > > Scott > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Jim Bond > > > Sent: Thursday, December 07, 2000 1:19 AM > > > To: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject: tough VPN question > > > > > > > > > Hello, > > > > > > I'm trying to set up a IPSec between a PIX (branch > > > office) and router (central office). All PCs at > > > branch > > > office share 1 ip address. IPSec seems to be working > > > fine because clients can ping/telnet/email/map > > > drives > > > from/to central office. The problem is they can't > > > logon NT domain. They can ping domain controller > > > though. > > > > > > Any idea why they can't log on NT domain? (The > > > machines were already added to domain) > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > __ > > > Do You Yahoo!? > > > Yahoo! Shopping - Thousands of Stores. Millions of > > > Products. > > > http://shopping.yahoo.com/ > > > > > > > > ___ > > > To unsubscribe from the CCIELAB list, send a message > > > to > > > [EMAIL PROTECTED] with the body containing: > > > unsubscribe ccielab > > > > > > _ > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > > > __ > > Do You Yahoo!? > > Yahoo! Shopping - Thousands of Stores. Millions of Products. > > http://shopping.yahoo.com/ > > > > _ > > FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > >_ >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Still doesn't work: tough VPN question
Here's some good information too (watch for wordwrap): http://cramsession.brainbuzz.com/cramsession/microsoft/tcpip/guide.asp Hth, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job -Original Message- From: Frank Wells [mailto:[EMAIL PROTECTED]] Sent: Friday, December 08, 2000 11:11 AM To: [EMAIL PROTECTED] Subject: Re: Still doesn't work: tough VPN question Name resolution is exactly what WINS does! It maps Netbios names to IP addresses. Windows clients resolve names to IP addresses using a number of criterion, and depending on what kind of node they are (H;B;P;M)the order that they search services and files differ. They certainly do not need DNS to resolve IP addresses, although it would be an inprovement over their native methods. Take a look at RFC's 1001/1002 for deeper insight. BTW, RPC's are used for mapping drives etc. >From: "Benjamin Walling" <[EMAIL PROTECTED]> >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Still doesn't work: tough VPN question >Date: Fri, 8 Dec 2000 08:27:04 -0500 > >Pinging does not verify name resolution for WINS. Ping will resolve a name >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping >drives, etc. > >Try this link on Cisco's website for help with coordinating your NT domain >with your network layout: >http://www.cisco.com/warp/public/473/winnt_dg.htm > >It covers WINS and things like that. > >Ben > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello, > > > > Thank you guys for the help. Unfortunately, I tried to > > put LMHOST file, still doesn't work. We use WINS and I > > can ping domain controller using name so I don't think > > it's naming issue. > > > > I used a sniffer captured some data, client is sending > > logon request to domain controller but didn't get any > > response. Looks like PIX blocks it. How do I open > > it(port 137, 138, 139)? > > > > Thanks in advance. > > > > > > Jim > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > Your problem is likely the propgation of > > > broadcasts... Or lack thereof. > > > One thing you can do (I'm assuming you have a router > > > before (LAN-side) the > > > PIX) is set up an ip-helper address to forward > > > UDP-level broadcasts (like > > > 138/139 Netbios) to the NT server. > > > > > > The other thing you can do is bypass that broadcast > > > thought process by using > > > LMHosts files on the workstations at the branch > > > office. That will pre-load > > > (if you use the #PRE designation) the NetBIOS cache > > > and give you IP > > > addresses to go to. So if you have IP reachability, > > > things will work just > > > fine then. > > > > > > In LMHOSTS. : > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > if domain controller) > > > > > > Also, to refresh without rebooting the PCs, "nbtstat > > > -R" > > > > > > Hope this helps! > > > > > > Scott > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Jim Bond > > > Sent: Thursday, December 07, 2000 1:19 AM > > > To: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject: tough VPN question > > > > > > > > > Hello, > > > > > > I'm trying to set up a IPSec between a PIX (branch > > > office) and router (central office). All PCs at > > > branch > > > office share 1 ip address. IPSec seems to be working > > > fine because clients can ping/telnet/email/map > > > drives > > > from/to central office. The problem is they can't > > > logon NT domain. They can ping domain controller > > > though. > > > > > > Any idea why they can't log on NT domain? (The > > > machines were already added to domain) > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > __ > > > Do You Yahoo!? > &
RE: Still doesn't work: tough VPN question
I beg to disagree with you. I can certainly telnet, ftp and ping to any NETBios name on my network. -Original Message- From: Benjamin Walling [mailto:[EMAIL PROTECTED]] Sent: Friday, December 08, 2000 9:21 AM To: [EMAIL PROTECTED] Subject: Re: Still doesn't work: tough VPN question Yes, WINS resolves NetBIOS names to IP addresses, but only for Windows networking functions. It is not used for ping, ftp, telnet, etc. It is used for name resolution with relation to file sharing, domain traffic, etc. The order in which a Windows box will try to resolve a DNS name (what happens when you ping): Host file DNS Cache WINS Broadcast LMHosts The order in which a Windows box will try to resolve a NetBIOS name: Cache WINS Broadcast LMHosts Hosts DNS (of course you can modify the NetBIOS node type and change this) ""Frank Wells"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > Name resolution is exactly what WINS does! It maps Netbios names to IP > addresses. Windows clients resolve names to IP addresses using a number of > criterion, and depending on what kind of node they are (H;B;P;M)the order > that they search services and files differ. They certainly do not need DNS > to resolve IP addresses, although it would be an inprovement over their > native methods. > > Take a look at RFC's 1001/1002 for deeper insight. > > BTW, RPC's are used for mapping drives etc. > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Still doesn't work: tough VPN question > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > >Pinging does not verify name resolution for WINS. Ping will resolve a name > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping > >drives, etc. > > > >Try this link on Cisco's website for help with coordinating your NT domain > >with your network layout: > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > >It covers WINS and things like that. > > > >Ben > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hello, > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > put LMHOST file, still doesn't work. We use WINS and I > > > can ping domain controller using name so I don't think > > > it's naming issue. > > > > > > I used a sniffer captured some data, client is sending > > > logon request to domain controller but didn't get any > > > response. Looks like PIX blocks it. How do I open > > > it(port 137, 138, 139)? > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > Your problem is likely the propgation of > > > > broadcasts... Or lack thereof. > > > > One thing you can do (I'm assuming you have a router > > > > before (LAN-side) the > > > > PIX) is set up an ip-helper address to forward > > > > UDP-level broadcasts (like > > > > 138/139 Netbios) to the NT server. > > > > > > > > The other thing you can do is bypass that broadcast > > > > thought process by using > > > > LMHosts files on the workstations at the branch > > > > office. That will pre-load > > > > (if you use the #PRE designation) the NetBIOS cache > > > > and give you IP > > > > addresses to go to. So if you have IP reachability, > > > > things will work just > > > > fine then. > > > > > > > > In LMHOSTS. : > > > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > > if domain controller) > > > > > > > > Also, to refresh without rebooting the PCs, "nbtstat > > > > -R" > > > > > > > > Hope this helps! > > > > > > > > Scott > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > > Jim Bond > > > > Sent: Thursday, December 07, 2000 1:19 AM > > > > To: [EMAIL PROTECTED] > > > > Cc: [EMAIL PROTECTED] > > > > Subject: tough VPN question > > > > > > > > > > > > Hello, > > > > > > > > I'
Re: Still doesn't work: tough VPN question
Setup a BDC/Wins Server at the Branch office. Configure your clients so that the local BDC/WINS server will provide logon/wins services. Then allow the domain syn traffic from Branch Office BDC/WINS server throught the PIX to the Central Office PDC/WINS server. Microsoft's PDC's and BDC's have problems with slow links when it comes to Domain logons especially when you add a firewall in mix. This may seem like over kill, but if you look at Microsoft's recommended configuration for Domain logon/wins services you will see that this is the optimal configuration. Another side benefit is that your clients will logon faster, and if you ever lose your Primay Domain Controller and WINS Server, you have a backup at the branch site. Also, Wins replication between the servers should run when there is less traffic on the link. Domain syn between PDC and BDC should run when changes are made to the the Windows NT Security Account Manager. There is a very nice white paper on the subject at the Micorsoft Technet site. http://www.microsoft.com/technet Dave T >From: "Brian Lodwick" <[EMAIL PROTECTED]> >Reply-To: "Brian Lodwick" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Still doesn't work: tough VPN question >Date: Fri, 08 Dec 2000 17:56:25 - > >How about getting a test machine and running nbtstats to test the WINS >resolution? > > >>>Brian > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Still doesn't work: tough VPN question > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > >Pinging does not verify name resolution for WINS. Ping will resolve a >name > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for >mapping > >drives, etc. > > > >Try this link on Cisco's website for help with coordinating your NT >domain > >with your network layout: > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > >It covers WINS and things like that. > > > >Ben > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hello, > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > put LMHOST file, still doesn't work. We use WINS and I > > > can ping domain controller using name so I don't think > > > it's naming issue. > > > > > > I used a sniffer captured some data, client is sending > > > logon request to domain controller but didn't get any > > > response. Looks like PIX blocks it. How do I open > > > it(port 137, 138, 139)? > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > Your problem is likely the propgation of > > > > broadcasts... Or lack thereof. > > > > One thing you can do (I'm assuming you have a router > > > > before (LAN-side) the > > > > PIX) is set up an ip-helper address to forward > > > > UDP-level broadcasts (like > > > > 138/139 Netbios) to the NT server. > > > > > > > > The other thing you can do is bypass that broadcast > > > > thought process by using > > > > LMHosts files on the workstations at the branch > > > > office. That will pre-load > > > > (if you use the #PRE designation) the NetBIOS cache > > > > and give you IP > > > > addresses to go to. So if you have IP reachability, > > > > things will work just > > > > fine then. > > > > > > > > In LMHOSTS. : > > > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > > if domain controller) > > > > > > > > Also, to refresh without rebooting the PCs, "nbtstat > > > > -R" > > > > > > > > Hope this helps! > > > > > > > > Scott > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > > Jim Bond > > > > Sent: Thursday, December 07, 2000 1:19 AM > > > > To: [EMAIL PROTECTED] > > > > Cc: [EMAIL PROTECTED] > > > > Subject: tough VPN question > > > > > > > > > > > > Hello, > > &g
RE: Still doesn't work: tough VPN question
Hi, Are you using NAT anywhere in the setup - NAT breaks some NetBIOS stuff, particularly domain logons and NT trusts. NAT meaning are you referencing the DC by a false IP address, or by it's valid address. If you are not using NAT, then forget about the IPSec, just think of it as a router to router link. You will be attempting to talk to the DC using internal addressing, so really all that is required on the remote end is that the WINS server entries are configured correctly OR a manual LMHOSTS entry. -Original Message- From: Jim Bond [mailto:[EMAIL PROTECTED]] Sent: Friday, December 08, 2000 6:30 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Still doesn't work: tough VPN question Hello, Thank you guys for the help. Unfortunately, I tried to put LMHOST file, still doesn't work. We use WINS and I can ping domain controller using name so I don't think it's naming issue. I used a sniffer captured some data, client is sending logon request to domain controller but didn't get any response. Looks like PIX blocks it. How do I open it(port 137, 138, 139)? Thanks in advance. Jim --- Scott Morris <[EMAIL PROTECTED]> wrote: > Your problem is likely the propgation of > broadcasts... Or lack thereof. > One thing you can do (I'm assuming you have a router > before (LAN-side) the > PIX) is set up an ip-helper address to forward > UDP-level broadcasts (like > 138/139 Netbios) to the NT server. > > The other thing you can do is bypass that broadcast > thought process by using > LMHosts files on the workstations at the branch > office. That will pre-load > (if you use the #PRE designation) the NetBIOS cache > and give you IP > addresses to go to. So if you have IP reachability, > things will work just > fine then. > > In LMHOSTS. : > > (ip address) (Netbios name) #PRE #DOM:(domain name > if domain controller) > > Also, to refresh without rebooting the PCs, "nbtstat > -R" > > Hope this helps! > > Scott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Jim Bond > Sent: Thursday, December 07, 2000 1:19 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: tough VPN question > > > Hello, > > I'm trying to set up a IPSec between a PIX (branch > office) and router (central office). All PCs at > branch > office share 1 ip address. IPSec seems to be working > fine because clients can ping/telnet/email/map > drives > from/to central office. The problem is they can't > logon NT domain. They can ping domain controller > though. > > Any idea why they can't log on NT domain? (The > machines were already added to domain) > > Thanks in advance. > > > Jim > > __ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of > Products. > http://shopping.yahoo.com/ > > ___ > To unsubscribe from the CCIELAB list, send a message > to > [EMAIL PROTECTED] with the body containing: > unsubscribe ccielab > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ ___ To unsubscribe from the CCIELAB list, send a message to [EMAIL PROTECTED] with the body containing: unsubscribe ccielab _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Still doesn't work: tough VPN question
Yes. True. In Joe's case, WINS is resolving the name to IP address. One can also ping devices using the fully qualified domain name. In that case, DNS resolves the name to the IP address. I don't se anything in Ben's post to disagree with. He is speaking only of the order in which a Windoze PC will attempt to resolve name to IP. Anyone done some sniffer traces that can demonstrate both cases? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joseph Ezerski Sent: Friday, December 08, 2000 9:54 AM To: 'Benjamin Walling'; [EMAIL PROTECTED] Subject: RE: Still doesn't work: tough VPN question I beg to disagree with you. I can certainly telnet, ftp and ping to any NETBios name on my network. -Original Message- From: Benjamin Walling [mailto:[EMAIL PROTECTED]] Sent: Friday, December 08, 2000 9:21 AM To: [EMAIL PROTECTED] Subject: Re: Still doesn't work: tough VPN question Yes, WINS resolves NetBIOS names to IP addresses, but only for Windows networking functions. It is not used for ping, ftp, telnet, etc. It is used for name resolution with relation to file sharing, domain traffic, etc. The order in which a Windows box will try to resolve a DNS name (what happens when you ping): Host file DNS Cache WINS Broadcast LMHosts The order in which a Windows box will try to resolve a NetBIOS name: Cache WINS Broadcast LMHosts Hosts DNS (of course you can modify the NetBIOS node type and change this) ""Frank Wells"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > Name resolution is exactly what WINS does! It maps Netbios names to IP > addresses. Windows clients resolve names to IP addresses using a number of > criterion, and depending on what kind of node they are (H;B;P;M)the order > that they search services and files differ. They certainly do not need DNS > to resolve IP addresses, although it would be an inprovement over their > native methods. > > Take a look at RFC's 1001/1002 for deeper insight. > > BTW, RPC's are used for mapping drives etc. > > > >From: "Benjamin Walling" <[EMAIL PROTECTED]> > >Reply-To: "Benjamin Walling" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: Still doesn't work: tough VPN question > >Date: Fri, 8 Dec 2000 08:27:04 -0500 > > > >Pinging does not verify name resolution for WINS. Ping will resolve a name > >using DNS. MS uses WINS (NetBIOS naming) for Domain Logins and for mapping > >drives, etc. > > > >Try this link on Cisco's website for help with coordinating your NT domain > >with your network layout: > >http://www.cisco.com/warp/public/473/winnt_dg.htm > > > >It covers WINS and things like that. > > > >Ben > > > >"Jim Bond" <[EMAIL PROTECTED]> wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hello, > > > > > > Thank you guys for the help. Unfortunately, I tried to > > > put LMHOST file, still doesn't work. We use WINS and I > > > can ping domain controller using name so I don't think > > > it's naming issue. > > > > > > I used a sniffer captured some data, client is sending > > > logon request to domain controller but didn't get any > > > response. Looks like PIX blocks it. How do I open > > > it(port 137, 138, 139)? > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > > Your problem is likely the propgation of > > > > broadcasts... Or lack thereof. > > > > One thing you can do (I'm assuming you have a router > > > > before (LAN-side) the > > > > PIX) is set up an ip-helper address to forward > > > > UDP-level broadcasts (like > > > > 138/139 Netbios) to the NT server. > > > > > > > > The other thing you can do is bypass that broadcast > > > > thought process by using > > > > LMHosts files on the workstations at the branch > > > > office. That will pre-load > > > > (if you use the #PRE designation) the NetBIOS cache > > > > and give you IP > > > > addresses to go to. So if you have IP reachability, > > > > things will work just > > > > fine then. > > > > > > > > In LMHOSTS. : > > > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > > if domain controller) > > > > > > > > Also, to refresh without re
Re: Still doesn't work: tough VPN question
Are you sure the PDC has a route back to the VPN client? "Justin Menga" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > Are you using NAT anywhere in the setup - NAT breaks some NetBIOS stuff, > particularly domain logons and NT trusts. > > NAT meaning are you referencing the DC by a false IP address, or by it's > valid address. > > If you are not using NAT, then forget about the IPSec, just think of it as a > router to router link. You will be attempting to talk to the DC using > internal addressing, so really all that is required on the remote end is > that the WINS server entries are configured correctly OR a manual LMHOSTS > entry. > > > > -Original Message- > From: Jim Bond [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 08, 2000 6:30 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Still doesn't work: tough VPN question > > > Hello, > > Thank you guys for the help. Unfortunately, I tried to > put LMHOST file, still doesn't work. We use WINS and I > can ping domain controller using name so I don't think > it's naming issue. > > I used a sniffer captured some data, client is sending > logon request to domain controller but didn't get any > response. Looks like PIX blocks it. How do I open > it(port 137, 138, 139)? > > Thanks in advance. > > > Jim > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > Your problem is likely the propgation of > > broadcasts... Or lack thereof. > > One thing you can do (I'm assuming you have a router > > before (LAN-side) the > > PIX) is set up an ip-helper address to forward > > UDP-level broadcasts (like > > 138/139 Netbios) to the NT server. > > > > The other thing you can do is bypass that broadcast > > thought process by using > > LMHosts files on the workstations at the branch > > office. That will pre-load > > (if you use the #PRE designation) the NetBIOS cache > > and give you IP > > addresses to go to. So if you have IP reachability, > > things will work just > > fine then. > > > > In LMHOSTS. : > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > if domain controller) > > > > Also, to refresh without rebooting the PCs, "nbtstat > > -R" > > > > Hope this helps! > > > > Scott > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > Jim Bond > > Sent: Thursday, December 07, 2000 1:19 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: tough VPN question > > > > > > Hello, > > > > I'm trying to set up a IPSec between a PIX (branch > > office) and router (central office). All PCs at > > branch > > office share 1 ip address. IPSec seems to be working > > fine because clients can ping/telnet/email/map > > drives > > from/to central office. The problem is they can't > > logon NT domain. They can ping domain controller > > though. > > > > Any idea why they can't log on NT domain? (The > > machines were already added to domain) > > > > Thanks in advance. > > > > > > Jim > > > > __ > > Do You Yahoo!? > > Yahoo! Shopping - Thousands of Stores. Millions of > > Products. > > http://shopping.yahoo.com/ > > > > > ___ > > To unsubscribe from the CCIELAB list, send a message > > to > > [EMAIL PROTECTED] with the body containing: > > unsubscribe ccielab > > > > _ > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > __ > Do You Yahoo!? > Yahoo! Shopping - Thousands of Stores. Millions of Products. > http://shopping.yahoo.com/ > > ___ > To unsubscribe from the CCIELAB list, send a message to > [EMAIL PROTECTED] with the body containing: > unsubscribe ccielab > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Still doesn't work: tough VPN question
This site has the best info on LMHOSTS that I have found. It helped me with router to client VPNs. http://home.att.net/~j.buchan/index.htm Dave Swink > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Patrick Dooley > Sent: Monday, January 22, 2001 2:49 PM > To: [EMAIL PROTECTED] > Subject: Re: Still doesn't work: tough VPN question > > > Are you sure the PDC has a route back to the VPN client? > > "Justin Menga" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi, > > > > Are you using NAT anywhere in the setup - NAT breaks some NetBIOS stuff, > > particularly domain logons and NT trusts. > > > > NAT meaning are you referencing the DC by a false IP address, or by it's > > valid address. > > > > If you are not using NAT, then forget about the IPSec, just > think of it as > a > > router to router link. You will be attempting to talk to the DC using > > internal addressing, so really all that is required on the remote end is > > that the WINS server entries are configured correctly OR a > manual LMHOSTS > > entry. > > > > > > > > -Original Message- > > From: Jim Bond [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 08, 2000 6:30 PM > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Still doesn't work: tough VPN question > > > > > > Hello, > > > > Thank you guys for the help. Unfortunately, I tried to > > put LMHOST file, still doesn't work. We use WINS and I > > can ping domain controller using name so I don't think > > it's naming issue. > > > > I used a sniffer captured some data, client is sending > > logon request to domain controller but didn't get any > > response. Looks like PIX blocks it. How do I open > > it(port 137, 138, 139)? > > > > Thanks in advance. > > > > > > Jim > > > > --- Scott Morris <[EMAIL PROTECTED]> wrote: > > > Your problem is likely the propgation of > > > broadcasts... Or lack thereof. > > > One thing you can do (I'm assuming you have a router > > > before (LAN-side) the > > > PIX) is set up an ip-helper address to forward > > > UDP-level broadcasts (like > > > 138/139 Netbios) to the NT server. > > > > > > The other thing you can do is bypass that broadcast > > > thought process by using > > > LMHosts files on the workstations at the branch > > > office. That will pre-load > > > (if you use the #PRE designation) the NetBIOS cache > > > and give you IP > > > addresses to go to. So if you have IP reachability, > > > things will work just > > > fine then. > > > > > > In LMHOSTS. : > > > > > > (ip address) (Netbios name) #PRE #DOM:(domain name > > > if domain controller) > > > > > > Also, to refresh without rebooting the PCs, "nbtstat > > > -R" > > > > > > Hope this helps! > > > > > > Scott > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Jim Bond > > > Sent: Thursday, December 07, 2000 1:19 AM > > > To: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject: tough VPN question > > > > > > > > > Hello, > > > > > > I'm trying to set up a IPSec between a PIX (branch > > > office) and router (central office). All PCs at > > > branch > > > office share 1 ip address. IPSec seems to be working > > > fine because clients can ping/telnet/email/map > > > drives > > > from/to central office. The problem is they can't > > > logon NT domain. They can ping domain controller > > > though. > > > > > > Any idea why they can't log on NT domain? (The > > > machines were already added to domain) > > > > > > Thanks in advance. > > > > > > > > > Jim > > > > > > __ > > > Do You Yahoo!? > > > Yahoo! Shopping - Thousands of Stores. Millions of > > > Products. > > > http://shopping.yahoo.com/ > > > > > > > > ___ > > > To unsubscribe from the CCIELAB list, send a message > > > to > >
