Solved

Unable to access File Server Share

Posted on 2008-10-24
10
457 Views
Last Modified: 2012-06-21
I have a user logging into our network via Cisco VPN from outside the network. This user needs to access our file server which she could before I enabled the Windows Firewall. It is weird because she can ping the server by IP Address and FQDN but unable to access the share. When I turn off Windows Firewall on the file server she can access the share.

With Windows Firewall turned on, the users on the network could access this share.

Is there a setting I need to apply in order to keep the firewall on and have all my users access the share?
0
Comment
Question by:katredrum
10 Comments
 
LVL 7

Expert Comment

by:talker2004
ID: 22800086
from the Windows firewall advanced tab goto the ICMP settings and check all of the options.

Now try
0
 
LVL 1

Author Comment

by:katredrum
ID: 22800331
talker2004, it didn't work. I actually took a log of what is dropping. I also added port 80 as I see in the log.
2008-10-24 11:30:19 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:25 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:30 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:18 DROP UDP 192.168.1.205 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2008-10-24 11:30:32 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:33 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:39 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:55 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:30:46 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:00 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:03 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:07 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:09 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:16 DROP TCP 192.168.37.109 192.168.1.64 1187 445 40 R 2246122433 0 0 - - - RECEIVE
2008-10-24 11:31:16 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:19 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:30 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
2008-10-24 11:31:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:39 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22801177
Go to the properties of the network connection on the server.  Open the Exceptions tab.  Is File and Printer Sharing checked?  If not that is probably the culprit.  If it is then It will be something else.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22810480
This is a multihomed server isn't it?

This is very, very tricky and I haven't come up with the correct fix. But, I am willing to fill you in on what I know.

File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down).

What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable.

0
 
LVL 1

Author Comment

by:katredrum
ID: 22815601
ThorSG1, the File and Printer Sharing is checked and I am having no problems with users on the Local LAN 192.168.1.0/24. Just when users VPN into our network from the Internet which obtain a 192.168.2.0/24 address. **I am wondering if there is something on my Cisco ACL that is preventing network browsing**
 
ChiefIT, the file server is not configured as a mutihomed  server meaning it only has one IP Address 192.168.1.64/24. From my VPN user's computer, I am able to ping the file server by both IP address and FQDN...just not able to view or browse any shared folders.
I sorry but I am not really following your response, "File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down)."
I understand your comment "What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable." But I do not believe it is a NetBIOS over TCP/IP issue as the VPN user can ping by IP address, NetBIOS name, & FQDN.
 
I found an article on Cisco's website explaining that there are issues with broacasts over VPN but when I disable the file server's firewall the VPN users are able to access the shared folder.
 
It has to be the Windows Firewall...just need to figure out what port is being blocked and allowing it through.
 Thank you for all the help! It is really guiding me in the right way.
 
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Expert Comment

by:ThorSG1
ID: 22816982
Have you setup a NAT exemption rule on your firewall?  We have an exempt rule to not NAT the traffic comming from our VPN connections.  If you have one do you also have a rule in the ACL Manager that allows all ip traffic?
It might look something like this.
Internal_nat0_outbound
any => 192.168.2.0/24 => ip => permit
Right now I'm thinking it may have something to do with your firewall and NAT.  If it is not NAT then it can only be something with the windows firewall or network settings of the server.
I do realize that the firewall should act the same weather you have the windows firewall enabled or not.  
You may also want to try mapping by the server ip address to make sure it is not a name resolution issue.  As CheifIT is pointing to a name resolution issue.  Using the ip address would take that out of the picture.
Another question I have is what is the local network on the vpn users side.  192.168.1.1 is the default network on a lot of the cheap routers out there today.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817312
ThorSG1,
  • I do have NAT disabled on all VPN connections.
  • It is not a DNS issue as I can ping by NetBIOS name and FQDN regardless if Windows Firewall is enabled or not.
  • Mapping a network drive only works with Windows Firewall turned off.
  • When the VPN users remote into our network, their Virtual adapter receives an IP address from DHCP in the 192.168.2.0/24 subnet from the router.
I believe it is a Windows Firewall setting that is not allowing my VPN users access to the shared folders. I know this because when the Windows Firewall is disabled, everything works fine and all VPN users are able to access all shares on the network.
 
0
 
LVL 4

Accepted Solution

by:
ThorSG1 earned 500 total points
ID: 22817582
When you edit the File and Printer Sharing under exceptions what ports are checked?  They should be TCP 139, 445; UDP 137, 138.
Check the scope options with the following link.  Pay particular attention to the My network (subnet) only section.  Check the route print tables to make sure the network your VPN users are coming from is listed.  If it is not you may need to create a custom list.
http://technet.microsoft.com/en-us/library/cc778362.aspx
 
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817855
ThorSG1, I changed the scope for TCP 445 to Any computer (including those on the Internet) and it worked!
 
Thank you thank you thank you!
0
 
LVL 1

Author Closing Comment

by:katredrum
ID: 31623606
I didn't know that I could change the scope of the Windows Firewall. It did the trick!!! Thanks again for all your help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now