• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 503
  • Last Modified:

Name Resolution fails over Netgear Firewall Point to Point VPN

OK,

So we have two netgear firewalls that are running a hardware VPN per the instructions here:
http://kbserver.netgear.com/inquira/default.asp?ui_mode=answer&prior_transaction_id=2069&action_code=5&highlight_info=16777291,10,19&turl=http%3A%2F%2Fkbserver.netgear.com%2Fkb_web_files%2FN101499.asp&answer_id=206905334#__highlight

I realize this is very similar to teh question we had recently asked, please bear with me.

The central location is where the domain\DNS(Win 2003 server) server is bieng hosted, and i know the tunnel is working because i can ping the servers IP address, and even access shared resources via \\<serverIP>, however when i try to access resources via \\<serverName>, everything falls apart.

I have configured the Dns servers on the satellite firewall to be the servers IP address.  When i do a nslookup from a remote machine i get no response from the server.  However dns is running and processes requests locally no problem.

I have enabled netBios on a remote test machine

The other weird thing is that i can browse the web from this remote machine, with the only DNS entry bieng the server, so it seems certain DNS requests are bieng responded to.

Some other info that might be helpfull:
central office lan IP: 192.168.1.
satellite office Lan IP: 192.168.2.x

Id be happy to answer any questions
0
DotFoil
Asked:
DotFoil
  • 4
  • 3
1 Solution
 
Rob WilliamsCommented:
DotFoil, NetBIOS names do not broadcast over a VPN so you are correct in trying to resolve via DNS. You can resolve NetBIOS names if you have a WINS server, or as per # 2 below you can make use of the LMHosts file. Have a look at items 4-7 below for DNS options in my "name resolution list for VPN's" :-) See if any of those option help.
--Rob
Connecting to remote devices over a VPN:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnfd_lmh_QXQQ.asp
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0
 
DotFoilAuthor Commented:
hmm,

1. so using the server IP does work, and we may just have to set this up with login scripts because name resolution is just not working
2. I have not tried using the LMHosts mostly because this is for an office that is 45 minutes away and would be rediculouse to try and maintain that kinda list.
3. & 4. i have tried to use WINS with no luck
5. I have manually configured the DNS entries on the firewall, and individually for each machine, still i fail to resolve anykind of name, (server Name or FQDN). even though i can ping the server, and locally on the server i can resolve anything i want.
6. oops

Ok so i found the error. There was a Rule in the firewall forwarding all DNS requests to the server. Im not sure why it conflicted with the tunnel, but obviously it did. tunnel works, server names resolve, mapped network drives work.

All is well now.
0
 
Rob WilliamsCommented:
Glad you were able to get it working DotFoil.
thanks,
--Rob
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
DotFoilAuthor Commented:
Yeah,

thanks for your help, i just returned from the client, and it seems it actually needed WINS added to the remote machine adapter
0
 
Rob WilliamsCommented:
If WINS is an option it is usually the most dependable over VPN's, not sure why. If you get into the high end WatchGuards, SonicWall, CheckPoint and Cisco units I find DNS resolution works great.
Thanks for the update,
--Rob
0
 
DotFoilAuthor Commented:
Id love to get it resolving using DNS, i would think the way its set up would allow DNS to resolve, but maybe im issing something on the server.  DNS just times out when performing NSlookup remotely, but it functions fine locally.  Maybe i have more firewall Mis-configuration to sort out.  but for now WINS will work just fine.

Again thanks for your help, if you have any other suggestions to try please let me know.  Thanks!
0
 
Rob WilliamsCommented:
If I come up with any other ideas I will be sure to let you know. I am surprised "adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration" didn't work.

Thanks,
--Rob
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now