Solved

Unable to access File Server Share

Posted on 2008-10-24
10
452 Views
Last Modified: 2012-06-21
I have a user logging into our network via Cisco VPN from outside the network. This user needs to access our file server which she could before I enabled the Windows Firewall. It is weird because she can ping the server by IP Address and FQDN but unable to access the share. When I turn off Windows Firewall on the file server she can access the share.

With Windows Firewall turned on, the users on the network could access this share.

Is there a setting I need to apply in order to keep the firewall on and have all my users access the share?
0
Comment
Question by:katredrum
10 Comments
 
LVL 7

Expert Comment

by:talker2004
Comment Utility
from the Windows firewall advanced tab goto the ICMP settings and check all of the options.

Now try
0
 
LVL 1

Author Comment

by:katredrum
Comment Utility
talker2004, it didn't work. I actually took a log of what is dropping. I also added port 80 as I see in the log.
2008-10-24 11:30:19 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:25 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:30 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:18 DROP UDP 192.168.1.205 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2008-10-24 11:30:32 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:33 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:39 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:55 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:30:46 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:00 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:03 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:07 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:09 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:16 DROP TCP 192.168.37.109 192.168.1.64 1187 445 40 R 2246122433 0 0 - - - RECEIVE
2008-10-24 11:31:16 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:19 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:30 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
2008-10-24 11:31:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:39 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
0
 
LVL 4

Expert Comment

by:ThorSG1
Comment Utility
Go to the properties of the network connection on the server.  Open the Exceptions tab.  Is File and Printer Sharing checked?  If not that is probably the culprit.  If it is then It will be something else.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
This is a multihomed server isn't it?

This is very, very tricky and I haven't come up with the correct fix. But, I am willing to fill you in on what I know.

File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down).

What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable.

0
 
LVL 1

Author Comment

by:katredrum
Comment Utility
ThorSG1, the File and Printer Sharing is checked and I am having no problems with users on the Local LAN 192.168.1.0/24. Just when users VPN into our network from the Internet which obtain a 192.168.2.0/24 address. **I am wondering if there is something on my Cisco ACL that is preventing network browsing**
 
ChiefIT, the file server is not configured as a mutihomed  server meaning it only has one IP Address 192.168.1.64/24. From my VPN user's computer, I am able to ping the file server by both IP address and FQDN...just not able to view or browse any shared folders.
I sorry but I am not really following your response, "File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down)."
I understand your comment "What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable." But I do not believe it is a NetBIOS over TCP/IP issue as the VPN user can ping by IP address, NetBIOS name, & FQDN.
 
I found an article on Cisco's website explaining that there are issues with broacasts over VPN but when I disable the file server's firewall the VPN users are able to access the shared folder.
 
It has to be the Windows Firewall...just need to figure out what port is being blocked and allowing it through.
 Thank you for all the help! It is really guiding me in the right way.
 
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Expert Comment

by:ThorSG1
Comment Utility
Have you setup a NAT exemption rule on your firewall?  We have an exempt rule to not NAT the traffic comming from our VPN connections.  If you have one do you also have a rule in the ACL Manager that allows all ip traffic?
It might look something like this.
Internal_nat0_outbound
any => 192.168.2.0/24 => ip => permit
Right now I'm thinking it may have something to do with your firewall and NAT.  If it is not NAT then it can only be something with the windows firewall or network settings of the server.
I do realize that the firewall should act the same weather you have the windows firewall enabled or not.  
You may also want to try mapping by the server ip address to make sure it is not a name resolution issue.  As CheifIT is pointing to a name resolution issue.  Using the ip address would take that out of the picture.
Another question I have is what is the local network on the vpn users side.  192.168.1.1 is the default network on a lot of the cheap routers out there today.
0
 
LVL 1

Author Comment

by:katredrum
Comment Utility
ThorSG1,
  • I do have NAT disabled on all VPN connections.
  • It is not a DNS issue as I can ping by NetBIOS name and FQDN regardless if Windows Firewall is enabled or not.
  • Mapping a network drive only works with Windows Firewall turned off.
  • When the VPN users remote into our network, their Virtual adapter receives an IP address from DHCP in the 192.168.2.0/24 subnet from the router.
I believe it is a Windows Firewall setting that is not allowing my VPN users access to the shared folders. I know this because when the Windows Firewall is disabled, everything works fine and all VPN users are able to access all shares on the network.
 
0
 
LVL 4

Accepted Solution

by:
ThorSG1 earned 500 total points
Comment Utility
When you edit the File and Printer Sharing under exceptions what ports are checked?  They should be TCP 139, 445; UDP 137, 138.
Check the scope options with the following link.  Pay particular attention to the My network (subnet) only section.  Check the route print tables to make sure the network your VPN users are coming from is listed.  If it is not you may need to create a custom list.
http://technet.microsoft.com/en-us/library/cc778362.aspx
 
0
 
LVL 1

Author Comment

by:katredrum
Comment Utility
ThorSG1, I changed the scope for TCP 445 to Any computer (including those on the Internet) and it worked!
 
Thank you thank you thank you!
0
 
LVL 1

Author Closing Comment

by:katredrum
Comment Utility
I didn't know that I could change the scope of the Windows Firewall. It did the trick!!! Thanks again for all your help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now