• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

Mapping drive and printers by name using Netscreen SSG 520 and Linksys routers

Hi Experts,
I had a VPN between two linksys routers,
on one side (Site 1) was my DC running DNS and WINServer on one network
on the other side (Site 2) I have a NT 4.0 server running another network
everything worked great, could ping by IP or Name, could see both domains from both locations, and print to either location from either location.


I changed the Linksys on Site 1 to a Netscreen SSG520, and am planning add many new VPNs.
I have the VPN up and running between the SSG520 and the Linksys, I can ping both directions by IP, but I cannot ping by name.  I have tried to map drives and printers by IP address, but I get no login server to validate.

There is some name resolution I have to do in the Netscreen, but I cannot figure it out, and it is a new system for me.

Anyone with netscreen experience would be a great help.

0
Quadeeb2003
Asked:
Quadeeb2003
  • 3
  • 3
  • 2
2 Solutions
 
Rob WilliamsCommented:
No Netscreen experience but most VPN routers have a block/allow NetBIOS broadcast option. There are some DNS solutions as well, but your NT machines will require NetBIOS/WINS I believe. Also, some commercial units have an option on the router itself to specify the WINS server.
0
 
jabiiiCommented:
Netscreen you don't "have" to use DNS resolution. That is only for the box it'self for like allowing google.com etc

Rob's right, it's probably being blocked. What is your policy say for the site to site vpn? (what service group). Try changing it to ip - ip any port/service. see if it works then.

Let me know,

Jim
0
 
Quadeeb2003Author Commented:
Thanks for the input, I'll give it a try
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Quadeeb2003Author Commented:
The policy is not being blocked, 5gt is doing DHCP, it is set to use DC on the SSG520 as the DNS and WINS server.

I think where I am having an issue is the DNS settings on the DC.  I am not sure, but I think I need to put some information into the forward look up.

I might have to post this question elsewhere.
0
 
Rob WilliamsCommented:
I don't know that the forward look up zone would be the problem where it was working with the previous router, however it is a good idea to have a host record for the remote NT server in place regardless. Check the forward look up zone for your domain to see if there is a Host (A) record present, if not you can add it manually. Also a good idea to add a matching reverse look up zone PTR record as well.

Which site cannot resolve which names ? i.e. can site 2 resolve names from site 1 or visa versa? or neither?

Thanks you for the points by the way.
--Rob
0
 
Quadeeb2003Author Commented:
np, from remote site, with NT 4.0 server I can see domain and any computer in the domain.
to the remote I can see the ips and ping one name.  The NT server has some type of issue though, i can't connect to it via pcanywhere, which i normally do.  When I was up there, I could not get it working even though I had it in my lap.
I'm about ready to pitch the thing.  I really don't need another server and domain up there anyway, so, I just need to move the pc's up there, and the print server up there, to my local domain.  That ought to do it.

and thanks for your replies.
0
 
Rob WilliamsCommented:
Food for thought if you are not going to move the equipment:
It would make sense that site 2 can see site 1 by name an not the reverse because the site 1 router was changed thus showing it is likely the problem. I would say it has to do with the name resolution configuration of the Netscreen, not the server or site 2 configuration.
On the Netgear do you have the option to add a second WINS server? If so does the NT server run WINS? If so you could add it. Try adding the site 2 names to the forward lookup zones as you suggested earlier. If the Netscreen is pointing there for DNS it might work.
I am not familiar with Netscreens, perhaps Jim will return, sounds like he is.
0
 
jabiiiCommented:
Try making an object on the netscreen for the name of the box your trying to ping. ie mybox.com, and make sure the NS has a DNS server it can point to. and add that domain object to your ruleset (object group). make sure ping is allowed and try to ping.

Note Netscreen does do Forward lookups to allow/deny traffic - Ie allow me -> google.com
but does NOT (at this current time) perform reverse lookups. - ie if you allow 1.1.1.1, and try to ping google.com it might not work.

What do you get when you try to ping the name? request timed out?
do you see the ping requests hit the NS logs? if you don't have logs turned on turn them on, on every policy to find it.

If you still don't see the ping request hit the NS, then I can help you snoop/debug it. and we can try again.

you are allowing dns through right? did you allow-dns-reply?

is the dhcp client, getting the correct data?

does the NS have rules inplace allowing the client to both DC's etc? and vise versa?

NS will only allow what you tell it to.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now