Are you doing NAT 0 between sites so that everyone get's to use the real
IP's and not the NAT'ed ones? Are all the domain controllers, WINS boxes
etc. in the access-list defining what get's encrypted? If you are
setting up a VPN based on IP's only then you do not need to define what
ports get opened and what not you simply need to define what traffic is
encrypted based on source and destination.
Are your access-lists mirrored?
-----Original Message-----
From: Jim Bond [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 08, 2000 12:30 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Still doesn't work: tough VPN question
Hello,
Thank you guys for the help. Unfortunately, I tried to
put LMHOST file, still doesn't work. We use WINS and I
can ping domain controller using name so I don't think
it's naming issue.
I used a sniffer captured some data, client is sending
logon request to domain controller but didn't get any
response. Looks like PIX blocks it. How do I open
it(port 137, 138, 139)?
Thanks in advance.
Jim
--- Scott Morris <[EMAIL PROTECTED]> wrote:
> Your problem is likely the propgation of
> broadcasts... Or lack thereof.
> One thing you can do (I'm assuming you have a router
> before (LAN-side) the
> PIX) is set up an ip-helper address to forward
> UDP-level broadcasts (like
> 138/139 Netbios) to the NT server.
>
> The other thing you can do is bypass that broadcast
> thought process by using
> LMHosts files on the workstations at the branch
> office. That will pre-load
> (if you use the #PRE designation) the NetBIOS cache
> and give you IP
> addresses to go to. So if you have IP reachability,
> things will work just
> fine then.
>
> In LMHOSTS. :
>
> (ip address) (Netbios name) #PRE #DOM:(domain name
> if domain controller)
>
> Also, to refresh without rebooting the PCs, "nbtstat
> -R"
>
> Hope this helps!
>
> Scott
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jim Bond
> Sent: Thursday, December 07, 2000 1:19 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: tough VPN question
>
>
> Hello,
>
> I'm trying to set up a IPSec between a PIX (branch
> office) and router (central office). All PCs at
> branch
> office share 1 ip address. IPSec seems to be working
> fine because clients can ping/telnet/email/map
> drives
> from/to central office. The problem is they can't
> logon NT domain. They can ping domain controller
> though.
>
> Any idea why they can't log on NT domain? (The
> machines were already added to domain)
>
> Thanks in advance.
>
>
> Jim
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of
> Products.
> http://shopping.yahoo.com/
>
>
_______________________________________________________
> To unsubscribe from the CCIELAB list, send a message
> to
> [EMAIL PROTECTED] with the body containing:
> unsubscribe ccielab
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
