Solved

Unable to access File Server Share

Posted on 2008-10-24
10
461 Views
Last Modified: 2012-06-21
I have a user logging into our network via Cisco VPN from outside the network. This user needs to access our file server which she could before I enabled the Windows Firewall. It is weird because she can ping the server by IP Address and FQDN but unable to access the share. When I turn off Windows Firewall on the file server she can access the share.

With Windows Firewall turned on, the users on the network could access this share.

Is there a setting I need to apply in order to keep the firewall on and have all my users access the share?
0
Comment
Question by:katredrum
10 Comments
 
LVL 7

Expert Comment

by:talker2004
ID: 22800086
from the Windows firewall advanced tab goto the ICMP settings and check all of the options.

Now try
0
 
LVL 1

Author Comment

by:katredrum
ID: 22800331
talker2004, it didn't work. I actually took a log of what is dropping. I also added port 80 as I see in the log.
2008-10-24 11:30:19 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:25 DROP TCP 192.168.37.109 192.168.1.64 1184 80 48 S 4102644471 0 65535 - - - RECEIVE
2008-10-24 11:30:30 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:18 DROP UDP 192.168.1.205 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2008-10-24 11:30:32 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:33 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:39 DROP TCP 192.168.37.109 192.168.1.64 1185 445 48 S 2866439145 0 65535 - - - RECEIVE
2008-10-24 11:30:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:30:55 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:30:46 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:00 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:03 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:07 DROP TCP 192.168.37.109 192.168.1.64 1187 445 48 S 2246122432 0 65535 - - - RECEIVE
2008-10-24 11:31:09 DROP TCP 192.168.37.109 192.168.1.64 1189 80 48 S 2517202417 0 65535 - - - RECEIVE
2008-10-24 11:31:16 DROP TCP 192.168.37.109 192.168.1.64 1187 445 40 R 2246122433 0 0 - - - RECEIVE
2008-10-24 11:31:16 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:19 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:30 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
2008-10-24 11:31:34 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:35 DROP UDP 192.168.37.109 192.168.1.64 137 137 78 - - - - - - - RECEIVE
2008-10-24 11:31:39 DROP TCP 192.168.37.109 192.168.1.64 1191 445 48 S 3281808825 0 65535 - - - RECEIVE
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22801177
Go to the properties of the network connection on the server.  Open the Exceptions tab.  Is File and Printer Sharing checked?  If not that is probably the culprit.  If it is then It will be something else.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 38

Expert Comment

by:ChiefIT
ID: 22810480
This is a multihomed server isn't it?

This is very, very tricky and I haven't come up with the correct fix. But, I am willing to fill you in on what I know.

File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down).

What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable.

0
 
LVL 1

Author Comment

by:katredrum
ID: 22815601
ThorSG1, the File and Printer Sharing is checked and I am having no problems with users on the Local LAN 192.168.1.0/24. Just when users VPN into our network from the Internet which obtain a 192.168.2.0/24 address. **I am wondering if there is something on my Cisco ACL that is preventing network browsing**
 
ChiefIT, the file server is not configured as a mutihomed  server meaning it only has one IP Address 192.168.1.64/24. From my VPN user's computer, I am able to ping the file server by both IP address and FQDN...just not able to view or browse any shared folders.
I sorry but I am not really following your response, "File sharing and printer sharing is saved as SMB shares. The problem with SMB is your clients and servers will bind to one network binding. This could be the outer binding, (then all of your lan clients will have problems with the SMB share). Or this could the the LAN's Nic Binding, (but, then all of your outside clients will be knocked down)."
I understand your comment "What I have discovered is to access the SMB shares, a simultaneousbroadcast will be dished out to netbios over TCP/IP. So, if you create a WINS connection between the remote site client or domain server, to your PDCe, then shares and the browser service are accessable." But I do not believe it is a NetBIOS over TCP/IP issue as the VPN user can ping by IP address, NetBIOS name, & FQDN.
 
I found an article on Cisco's website explaining that there are issues with broacasts over VPN but when I disable the file server's firewall the VPN users are able to access the shared folder.
 
It has to be the Windows Firewall...just need to figure out what port is being blocked and allowing it through.
 Thank you for all the help! It is really guiding me in the right way.
 
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22816982
Have you setup a NAT exemption rule on your firewall?  We have an exempt rule to not NAT the traffic comming from our VPN connections.  If you have one do you also have a rule in the ACL Manager that allows all ip traffic?
It might look something like this.
Internal_nat0_outbound
any => 192.168.2.0/24 => ip => permit
Right now I'm thinking it may have something to do with your firewall and NAT.  If it is not NAT then it can only be something with the windows firewall or network settings of the server.
I do realize that the firewall should act the same weather you have the windows firewall enabled or not.  
You may also want to try mapping by the server ip address to make sure it is not a name resolution issue.  As CheifIT is pointing to a name resolution issue.  Using the ip address would take that out of the picture.
Another question I have is what is the local network on the vpn users side.  192.168.1.1 is the default network on a lot of the cheap routers out there today.
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817312
ThorSG1,
  • I do have NAT disabled on all VPN connections.
  • It is not a DNS issue as I can ping by NetBIOS name and FQDN regardless if Windows Firewall is enabled or not.
  • Mapping a network drive only works with Windows Firewall turned off.
  • When the VPN users remote into our network, their Virtual adapter receives an IP address from DHCP in the 192.168.2.0/24 subnet from the router.
I believe it is a Windows Firewall setting that is not allowing my VPN users access to the shared folders. I know this because when the Windows Firewall is disabled, everything works fine and all VPN users are able to access all shares on the network.
 
0
 
LVL 4

Accepted Solution

by:
ThorSG1 earned 500 total points
ID: 22817582
When you edit the File and Printer Sharing under exceptions what ports are checked?  They should be TCP 139, 445; UDP 137, 138.
Check the scope options with the following link.  Pay particular attention to the My network (subnet) only section.  Check the route print tables to make sure the network your VPN users are coming from is listed.  If it is not you may need to create a custom list.
http://technet.microsoft.com/en-us/library/cc778362.aspx
 
0
 
LVL 1

Author Comment

by:katredrum
ID: 22817855
ThorSG1, I changed the scope for TCP 445 to Any computer (including those on the Internet) and it worked!
 
Thank you thank you thank you!
0
 
LVL 1

Author Closing Comment

by:katredrum
ID: 31623606
I didn't know that I could change the scope of the Windows Firewall. It did the trick!!! Thanks again for all your help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2003 x64 upgrade question 10 48
Server Login Issue 4 58
clearing an obsolete 2003 server from our domain 8 74
Active Directory not migrating to 2012 DC correctly 35 81
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question