Mapping drive and printers by name using Netscreen SSG 520  and Linksys routers

Posted on 2006-06-21
Last Modified: 2010-04-12
Hi Experts,
I had a VPN between two linksys routers,
on one side (Site 1) was my DC running DNS and WINServer on one network
on the other side (Site 2) I have a NT 4.0 server running another network
everything worked great, could ping by IP or Name, could see both domains from both locations, and print to either location from either location.

I changed the Linksys on Site 1 to a Netscreen SSG520, and am planning add many new VPNs.
I have the VPN up and running between the SSG520 and the Linksys, I can ping both directions by IP, but I cannot ping by name.  I have tried to map drives and printers by IP address, but I get no login server to validate.

There is some name resolution I have to do in the Netscreen, but I cannot figure it out, and it is a new system for me.

Anyone with netscreen experience would be a great help.

Question by:Quadeeb2003
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 16959624
No Netscreen experience but most VPN routers have a block/allow NetBIOS broadcast option. There are some DNS solutions as well, but your NT machines will require NetBIOS/WINS I believe. Also, some commercial units have an option on the router itself to specify the WINS server.

Accepted Solution

jabiii earned 250 total points
ID: 16985378
Netscreen you don't "have" to use DNS resolution. That is only for the box it'self for like allowing etc

Rob's right, it's probably being blocked. What is your policy say for the site to site vpn? (what service group). Try changing it to ip - ip any port/service. see if it works then.

Let me know,


Author Comment

ID: 17022217
Thanks for the input, I'll give it a try
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 17076814
The policy is not being blocked, 5gt is doing DHCP, it is set to use DC on the SSG520 as the DNS and WINS server.

I think where I am having an issue is the DNS settings on the DC.  I am not sure, but I think I need to put some information into the forward look up.

I might have to post this question elsewhere.
LVL 77

Expert Comment

by:Rob Williams
ID: 17078213
I don't know that the forward look up zone would be the problem where it was working with the previous router, however it is a good idea to have a host record for the remote NT server in place regardless. Check the forward look up zone for your domain to see if there is a Host (A) record present, if not you can add it manually. Also a good idea to add a matching reverse look up zone PTR record as well.

Which site cannot resolve which names ? i.e. can site 2 resolve names from site 1 or visa versa? or neither?

Thanks you for the points by the way.

Author Comment

ID: 17078262
np, from remote site, with NT 4.0 server I can see domain and any computer in the domain.
to the remote I can see the ips and ping one name.  The NT server has some type of issue though, i can't connect to it via pcanywhere, which i normally do.  When I was up there, I could not get it working even though I had it in my lap.
I'm about ready to pitch the thing.  I really don't need another server and domain up there anyway, so, I just need to move the pc's up there, and the print server up there, to my local domain.  That ought to do it.

and thanks for your replies.
LVL 77

Expert Comment

by:Rob Williams
ID: 17078286
Food for thought if you are not going to move the equipment:
It would make sense that site 2 can see site 1 by name an not the reverse because the site 1 router was changed thus showing it is likely the problem. I would say it has to do with the name resolution configuration of the Netscreen, not the server or site 2 configuration.
On the Netgear do you have the option to add a second WINS server? If so does the NT server run WINS? If so you could add it. Try adding the site 2 names to the forward lookup zones as you suggested earlier. If the Netscreen is pointing there for DNS it might work.
I am not familiar with Netscreens, perhaps Jim will return, sounds like he is.

Expert Comment

ID: 17081538
Try making an object on the netscreen for the name of the box your trying to ping. ie, and make sure the NS has a DNS server it can point to. and add that domain object to your ruleset (object group). make sure ping is allowed and try to ping.

Note Netscreen does do Forward lookups to allow/deny traffic - Ie allow me ->
but does NOT (at this current time) perform reverse lookups. - ie if you allow, and try to ping it might not work.

What do you get when you try to ping the name? request timed out?
do you see the ping requests hit the NS logs? if you don't have logs turned on turn them on, on every policy to find it.

If you still don't see the ping request hit the NS, then I can help you snoop/debug it. and we can try again.

you are allowing dns through right? did you allow-dns-reply?

is the dhcp client, getting the correct data?

does the NS have rules inplace allowing the client to both DC's etc? and vise versa?

NS will only allow what you tell it to.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gateway Resilience 4 68
Question about Authentication Domain 6 96
ASA 5505 latency problem 8 64
Help on choosing VPN for personal use and if possible free 7 39
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question