Solved

Unable to access File Server Share

Posted on 2008-10-24
10
466 Views
Last Modified: 2012-06-21
I have a user logging into our network via Cisco VPN from outside the network. This user needs to access our file server which she could before I enabled the Windows Firewall. It is weird because she can ping the server by IP Address and FQDN but unable to access the share. When I turn off Windows Firewall on the file server she can access the share.

With Windows Firewall turned on, the users on the network could access this share.

Is there a setting I need to apply in order to keep the firewall on and have all my users access the share?
0
Comment
Question by:katredrum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 7

Expert Comment

by:talker2004
ID: 22800086
from the Windows firewall advanced tab goto the ICMP settings and check all of the options.

Now try
0
 
LVL 1

Author Comment

by:katredrum
ID: 22800331
talker2004, it didn't work. I actually took a log of what is dropping. I also added port 80 as I see in the log.
2008-10-24 11:30:19 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:25 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:30 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:18 DROP UDP 192.168.1.205 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2008-10-24 11:30:32 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:33 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:39 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:55 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:30:46 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:00 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:03 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:07 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:09 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:16 DROP TCP 192.168.37.109 192.168.1.64 1187 445 40 R 2246122433 0 0 - - - RECEIVE
2008-10-24 11:31:16 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:19 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:30 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
2008-10-24 11:31:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:39 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22801177
Go to the properties of the network connection on the server.  Open the Exceptions tab.  Is File and Printer Sharing checked?  If not that is probably the culprit.  If it is then It will be something else.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 22810480
This is a multihomed server isn't it?

This is very, very tricky and I haven't come up with the correct fix. But, I am willing to fill you in on what I know.

File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down).

What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable.

0
 
LVL 1

Author Comment

by:katredrum
ID: 22815601
ThorSG1, the File and Printer Sharing is checked and I am having no problems with users on the Local LAN 192.168.1.0/24. Just when users VPN into our network from the Internet which obtain a 192.168.2.0/24 address. **I am wondering if there is something on my Cisco ACL that is preventing network browsing**
 
ChiefIT, the file server is not configured as a mutihomed  server meaning it only has one IP Address 192.168.1.64/24. From my VPN user's computer, I am able to ping the file server by both IP address and FQDN...just not able to view or browse any shared folders.
I sorry but I am not really following your response, "File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down)."
I understand your comment "What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable." But I do not believe it is a NetBIOS over TCP/IP issue as the VPN user can ping by IP address, NetBIOS name, & FQDN.
 
I found an article on Cisco's website explaining that there are issues with broacasts over VPN but when I disable the file server's firewall the VPN users are able to access the shared folder.
 
It has to be the Windows Firewall...just need to figure out what port is being blocked and allowing it through.
 Thank you for all the help! It is really guiding me in the right way.
 
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22816982
Have you setup a NAT exemption rule on your firewall?  We have an exempt rule to not NAT the traffic comming from our VPN connections.  If you have one do you also have a rule in the ACL Manager that allows all ip traffic?
It might look something like this.
Internal_nat0_outbound
any => 192.168.2.0/24 => ip => permit
Right now I'm thinking it may have something to do with your firewall and NAT.  If it is not NAT then it can only be something with the windows firewall or network settings of the server.
I do realize that the firewall should act the same weather you have the windows firewall enabled or not.  
You may also want to try mapping by the server ip address to make sure it is not a name resolution issue.  As CheifIT is pointing to a name resolution issue.  Using the ip address would take that out of the picture.
Another question I have is what is the local network on the vpn users side.  192.168.1.1 is the default network on a lot of the cheap routers out there today.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817312
ThorSG1,
  • I do have NAT disabled on all VPN connections.
  • It is not a DNS issue as I can ping by NetBIOS name and FQDN regardless if Windows Firewall is enabled or not.
  • Mapping a network drive only works with Windows Firewall turned off.
  • When the VPN users remote into our network, their Virtual adapter receives an IP address from DHCP in the 192.168.2.0/24 subnet from the router.
I believe it is a Windows Firewall setting that is not allowing my VPN users access to the shared folders. I know this because when the Windows Firewall is disabled, everything works fine and all VPN users are able to access all shares on the network.
 
0
 
LVL 4

Accepted Solution

by:
ThorSG1 earned 500 total points
ID: 22817582
When you edit the File and Printer Sharing under exceptions what ports are checked?  They should be TCP 139, 445; UDP 137, 138.
Check the scope options with the following link.  Pay particular attention to the My network (subnet) only section.  Check the route print tables to make sure the network your VPN users are coming from is listed.  If it is not you may need to create a custom list.
http://technet.microsoft.com/en-us/library/cc778362.aspx
 
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817855
ThorSG1, I changed the scope for TCP 445 to Any computer (including those on the Internet) and it worked!
 
Thank you thank you thank you!
0
 
LVL 1

Author Closing Comment

by:katredrum
ID: 31623606
I didn't know that I could change the scope of the Windows Firewall. It did the trick!!! Thanks again for all your help.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question