Need help setting up network share on desktop in remote office

Experts,

I'm attempting to setup a share on an enduser's desktop in a remote office for the purpose of hosting documents that are scanned from a MFP at my company's headquarters location.  While this sounds easy enough, I'm running into some problems seeing the network share outside of the particular satellite office where this desktop is located and am running out of ideas.  All the permissions are setup correctly, I can ping the desktop in the remote office (and vice-versa) and I can read/write to the shares from the office where the desktop is located.  I can't see shares setup on desktops in our headquarters location from these remote offices so perhaps what I'm trying to do isn't even possible through normal conventions?  Perhaps I just have to elevate the desktop's role somehow through AD?

Here's some more info on our network setup:
- Each location has at least one domain controller running Windows Server 2003 and AD replication occurs hourly
- Our company's different locations are connected via site-to-site VPN, each office has an AT&T MIS T1 capable of moving ~1.5 MB/s downstream
- DNS records are comprehensive and replicate properly between locations
- All of our company's endusers use XP on their desktops with SP2 or SP3

Any feedback would be much appreciated...
methodologyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MightySWCommented:
Can you ping the name of one of the remote PC's?

Do you get a reply?

What happens when you click on start and then run and then type \\remote_machine_name and hit ok?

Do you have firewalls on in either location?  Do you have hardware firewalls in either location?

0
SysExpertCommented:
Are yo allowing GRE 43 and other MS share protocols through the routers/ VPN ?
 
I hope this helps !
0
MightySWCommented:
Yes, You are on the same path I am on SE.  I think that the TCP and UDP ports for AD are not being allowed through the FW policies.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

methodologyAuthor Commented:
MightySW: I can successfully ping the remote PC.  When I try to access it via Run or in the location bar, I eventually get a message notifying me that the host cannot be found.

I think you guys are on the right track with respect to firewalls.  We use Cisco PIX firewalls; 501s at the satellite offices and a 515 at our headquarters location (sorry I left that out).  All of our routers are managed devices (inherent of AT&T MIS services) and I would assume that they come configured to support a variety of popular network environments, including AD (but I could be wrong about that).

Like you guys are saying, I'm thinking that my problem is most likely a case of not enabling the right protocols/having the right ports open.  My understanding of Cisco PIX firewall configurations is very limited (bare with me) so is it the fixup protocol commands that I should be focusing on?  If that's the case, I'm using the following fixups:

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723  (this is used for GRE 47, same as GRE 43?)
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

What else should I be using?  TiA!!
0
MightySWCommented:
Doesn't look like you are passing all AD traffic.

Fixup: (on both Pix's)

TCP  636-636
TCP 3268-3269
TCP 88-88
UDP 88-88
TCP 445-445
UDP 135-139
UDP 389-389

Also ensure that you have file and print services checked on the machines that you are trying to reach.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
methodologyAuthor Commented:
Hmmm...

I'm kind of thinking I might need to use the access-list command to open those ports; what protocol or application should I be assigning to those port openings?  Please correct me if I'm wrong--my logic is based on various sources of documentation, including this page:

https://www.cisco.com/en/US/docs/security/pix/pix62/configuration/guide/fixup.html

So should I be able to implement the following?

access-list 101 permit tcp any host any host eq 636
access-list 101 permit tcp any host any host eq 3268
access-list 101 permit tcp any host any host eq 3269
...
access-list 101 permit udp any host any host eq 389

Or do I need to implement one-to-one address translation for the desktop in the remote office, assign it a static IP address, and implement the following?

access-list 101 permit tcp any host desktop.outside.ip.address eq 636
access-list 101 permit tcp any host desktop.outside.ip.address eq 3268
access-list 101 permit tcp any host desktop.outside.ip.address eq 3269
...
access-list 101 permit udp any host desktop.outside.ip.address eq 389

I'm starting to wish I also tagged this post as a firewall issue.  Thanks guys...
0
MightySWCommented:
Well, actually just do a show access-group and it should be the permit all and the proceeded by the deny all for the internal interface outbound (Egress).  If this is true then you don't need to create object groups etc for the AD commands going out, but you will  need them coming in.  They should travel from client to client without any issues.  You should check the log by doing a show log.  If you need other Cisco command assistance then be sure to do a search on here or as you said, repost.  Personally I would be sure that your routing was sufficient and stable before you started troubleshooting.  I am fairly good with a PIX but I am a little rusty as I am a Juniper man now :)  I haven't used a PIX in over 4 years now and it is pretty hands on for me.  I know that you will have to (should) create object groups and then add them to a network service and then bind that network service to the access-group that you create.  This is where it gets dicey as you will have to create another access-group and if you don't know what you are doing then you will kill your link all together.  

Perhaps someone else could chime in on this one or you could repost to the firewall section and be sure to ask how to create access-lists and groups to pass active directory between a 515 and a 506.

Good luck and Hope this helps.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.