Mapping drive and printers by name using Netscreen SSG 520  and Linksys routers

Posted on 2006-06-21
Last Modified: 2010-04-12
Hi Experts,
I had a VPN between two linksys routers,
on one side (Site 1) was my DC running DNS and WINServer on one network
on the other side (Site 2) I have a NT 4.0 server running another network
everything worked great, could ping by IP or Name, could see both domains from both locations, and print to either location from either location.

I changed the Linksys on Site 1 to a Netscreen SSG520, and am planning add many new VPNs.
I have the VPN up and running between the SSG520 and the Linksys, I can ping both directions by IP, but I cannot ping by name.  I have tried to map drives and printers by IP address, but I get no login server to validate.

There is some name resolution I have to do in the Netscreen, but I cannot figure it out, and it is a new system for me.

Anyone with netscreen experience would be a great help.

Question by:Quadeeb2003
  • 3
  • 3
  • 2
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 16959624
No Netscreen experience but most VPN routers have a block/allow NetBIOS broadcast option. There are some DNS solutions as well, but your NT machines will require NetBIOS/WINS I believe. Also, some commercial units have an option on the router itself to specify the WINS server.

Accepted Solution

jabiii earned 250 total points
ID: 16985378
Netscreen you don't "have" to use DNS resolution. That is only for the box it'self for like allowing etc

Rob's right, it's probably being blocked. What is your policy say for the site to site vpn? (what service group). Try changing it to ip - ip any port/service. see if it works then.

Let me know,


Author Comment

ID: 17022217
Thanks for the input, I'll give it a try

Author Comment

ID: 17076814
The policy is not being blocked, 5gt is doing DHCP, it is set to use DC on the SSG520 as the DNS and WINS server.

I think where I am having an issue is the DNS settings on the DC.  I am not sure, but I think I need to put some information into the forward look up.

I might have to post this question elsewhere.
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

LVL 77

Expert Comment

by:Rob Williams
ID: 17078213
I don't know that the forward look up zone would be the problem where it was working with the previous router, however it is a good idea to have a host record for the remote NT server in place regardless. Check the forward look up zone for your domain to see if there is a Host (A) record present, if not you can add it manually. Also a good idea to add a matching reverse look up zone PTR record as well.

Which site cannot resolve which names ? i.e. can site 2 resolve names from site 1 or visa versa? or neither?

Thanks you for the points by the way.

Author Comment

ID: 17078262
np, from remote site, with NT 4.0 server I can see domain and any computer in the domain.
to the remote I can see the ips and ping one name.  The NT server has some type of issue though, i can't connect to it via pcanywhere, which i normally do.  When I was up there, I could not get it working even though I had it in my lap.
I'm about ready to pitch the thing.  I really don't need another server and domain up there anyway, so, I just need to move the pc's up there, and the print server up there, to my local domain.  That ought to do it.

and thanks for your replies.
LVL 77

Expert Comment

by:Rob Williams
ID: 17078286
Food for thought if you are not going to move the equipment:
It would make sense that site 2 can see site 1 by name an not the reverse because the site 1 router was changed thus showing it is likely the problem. I would say it has to do with the name resolution configuration of the Netscreen, not the server or site 2 configuration.
On the Netgear do you have the option to add a second WINS server? If so does the NT server run WINS? If so you could add it. Try adding the site 2 names to the forward lookup zones as you suggested earlier. If the Netscreen is pointing there for DNS it might work.
I am not familiar with Netscreens, perhaps Jim will return, sounds like he is.

Expert Comment

ID: 17081538
Try making an object on the netscreen for the name of the box your trying to ping. ie, and make sure the NS has a DNS server it can point to. and add that domain object to your ruleset (object group). make sure ping is allowed and try to ping.

Note Netscreen does do Forward lookups to allow/deny traffic - Ie allow me ->
but does NOT (at this current time) perform reverse lookups. - ie if you allow, and try to ping it might not work.

What do you get when you try to ping the name? request timed out?
do you see the ping requests hit the NS logs? if you don't have logs turned on turn them on, on every policy to find it.

If you still don't see the ping request hit the NS, then I can help you snoop/debug it. and we can try again.

you are allowing dns through right? did you allow-dns-reply?

is the dhcp client, getting the correct data?

does the NS have rules inplace allowing the client to both DC's etc? and vise versa?

NS will only allow what you tell it to.

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now