Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Unable to access File Server Share

Posted on 2008-10-24
10
Medium Priority
?
475 Views
Last Modified: 2012-06-21
I have a user logging into our network via Cisco VPN from outside the network. This user needs to access our file server which she could before I enabled the Windows Firewall. It is weird because she can ping the server by IP Address and FQDN but unable to access the share. When I turn off Windows Firewall on the file server she can access the share.

With Windows Firewall turned on, the users on the network could access this share.

Is there a setting I need to apply in order to keep the firewall on and have all my users access the share?
0
Comment
Question by:katredrum
10 Comments
 
LVL 7

Expert Comment

by:talker2004
ID: 22800086
from the Windows firewall advanced tab goto the ICMP settings and check all of the options.

Now try
0
 
LVL 1

Author Comment

by:katredrum
ID: 22800331
talker2004, it didn't work. I actually took a log of what is dropping. I also added port 80 as I see in the log.
2008-10-24 11:30:19 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:25 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:30 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:18 DROP UDP 192.168.1.205 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2008-10-24 11:30:32 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:33 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:39 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:55 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:30:46 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:00 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:03 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:07 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:09 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:16 DROP TCP 192.168.37.109 192.168.1.64 1187 445 40 R 2246122433 0 0 - - - RECEIVE
2008-10-24 11:31:16 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:19 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:30 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
2008-10-24 11:31:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:39 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22801177
Go to the properties of the network connection on the server.  Open the Exceptions tab.  Is File and Printer Sharing checked?  If not that is probably the culprit.  If it is then It will be something else.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 39

Expert Comment

by:ChiefIT
ID: 22810480
This is a multihomed server isn't it?

This is very, very tricky and I haven't come up with the correct fix. But, I am willing to fill you in on what I know.

File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down).

What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable.

0
 
LVL 1

Author Comment

by:katredrum
ID: 22815601
ThorSG1, the File and Printer Sharing is checked and I am having no problems with users on the Local LAN 192.168.1.0/24. Just when users VPN into our network from the Internet which obtain a 192.168.2.0/24 address. **I am wondering if there is something on my Cisco ACL that is preventing network browsing**
 
ChiefIT, the file server is not configured as a mutihomed  server meaning it only has one IP Address 192.168.1.64/24. From my VPN user's computer, I am able to ping the file server by both IP address and FQDN...just not able to view or browse any shared folders.
I sorry but I am not really following your response, "File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down)."
I understand your comment "What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable." But I do not believe it is a NetBIOS over TCP/IP issue as the VPN user can ping by IP address, NetBIOS name, & FQDN.
 
I found an article on Cisco's website explaining that there are issues with broacasts over VPN but when I disable the file server's firewall the VPN users are able to access the shared folder.
 
It has to be the Windows Firewall...just need to figure out what port is being blocked and allowing it through.
 Thank you for all the help! It is really guiding me in the right way.
 
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22816982
Have you setup a NAT exemption rule on your firewall?  We have an exempt rule to not NAT the traffic comming from our VPN connections.  If you have one do you also have a rule in the ACL Manager that allows all ip traffic?
It might look something like this.
Internal_nat0_outbound
any => 192.168.2.0/24 => ip => permit
Right now I'm thinking it may have something to do with your firewall and NAT.  If it is not NAT then it can only be something with the windows firewall or network settings of the server.
I do realize that the firewall should act the same weather you have the windows firewall enabled or not.  
You may also want to try mapping by the server ip address to make sure it is not a name resolution issue.  As CheifIT is pointing to a name resolution issue.  Using the ip address would take that out of the picture.
Another question I have is what is the local network on the vpn users side.  192.168.1.1 is the default network on a lot of the cheap routers out there today.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817312
ThorSG1,
  • I do have NAT disabled on all VPN connections.
  • It is not a DNS issue as I can ping by NetBIOS name and FQDN regardless if Windows Firewall is enabled or not.
  • Mapping a network drive only works with Windows Firewall turned off.
  • When the VPN users remote into our network, their Virtual adapter receives an IP address from DHCP in the 192.168.2.0/24 subnet from the router.
I believe it is a Windows Firewall setting that is not allowing my VPN users access to the shared folders. I know this because when the Windows Firewall is disabled, everything works fine and all VPN users are able to access all shares on the network.
 
0
 
LVL 4

Accepted Solution

by:
ThorSG1 earned 2000 total points
ID: 22817582
When you edit the File and Printer Sharing under exceptions what ports are checked?  They should be TCP 139, 445; UDP 137, 138.
Check the scope options with the following link.  Pay particular attention to the My network (subnet) only section.  Check the route print tables to make sure the network your VPN users are coming from is listed.  If it is not you may need to create a custom list.
http://technet.microsoft.com/en-us/library/cc778362.aspx
 
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817855
ThorSG1, I changed the scope for TCP 445 to Any computer (including those on the Internet) and it worked!
 
Thank you thank you thank you!
0
 
LVL 1

Author Closing Comment

by:katredrum
ID: 31623606
I didn't know that I could change the scope of the Windows Firewall. It did the trick!!! Thanks again for all your help.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Integration Management Part 2
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question