Network neighbourhood browsing across a site to site VPN (cisco asa)


We have a remote location that connects to our main office using a site to site VPN (established using a ASA 5520 at the main site and 5505 at the remote location). The remote location has about 10 workstations, all of which are joined to the domain. We have 2 domain controllers at the main site and no servers at the remote location. I do not have any issues at the remote site (logging into the domain, login scripts running etc) except for the fact that none of the remote stations (all XP - SP2) show up in network neighborhood. I can ping the workstation and search by their computer name just fine. I have tried to even use lmhosts on one of the workstations at the remote site without any success.

How can I get the remote workstations to show up in the network neighborhood?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Allow Microsoft Directory Services (TCP 139, 445) across the VPN. You may also need to allow NetBIOS on the VPN as well.
netman70Author Commented:
I don't have any ACL's applied to the tunnel - is there a specific command to allow 139,445 and NetBIOS across a site-to-site VPN tunnel? Please advise. Thanks!
Browsing uses Netbios over TCPIP. But unless you are using WINS, it is a broadcast technology - every machine broadcasts UDP 137 to announce their name. THe master browser on each segment listens for these and maintains a list for that segment. UDP broadcast are usually not routed across a routed interface like your ASA5505. So in order to get UDP broadcasts across a routed interface, many routers implement a UDP forwarder technique. A cisco router would have an "ip helper-address <server_ip>" statement to forward broadcasts like DHCP and UDP broadcasts. ASAs don't have that feature. Your only option is to use WINS. See this guide from cisco. It may be helpful:
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

netman70Author Commented:
We do have a WINS server (at the main location) - like I mentioned, I even tried to use lmhosts on  a couple of workstations at the remote site, without success
Does WINS utility show that the remote machines are registering with WINS? They should be.
When you say none of the remote machines show up in network neighborhood, I assume you are opening a cmd prompt on a PC on the corporate LAN and issuing "net view". If you do the same command at one of the remote PCs, do you only get the list of those remote PCs (none from headquarters)?. At a remote machine, when you issue Nbtstat -r, are all of the machines resolved by broadcast or are some by Name Server (WINS)? If they are resolved by broadcast, that would confirm that you are having issues with broadcast traffic not going across a routed interface. If so, you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment you want to use to see network neighborhood.

Finally, I have to ask the question, is network neighborhood that important if everything works fine for logging into domain, connecting by machine name, mapping drives, scripting, etc? Why not just view WINS active registrations?
netman70Author Commented:
All valid questions and thank you for your input.

this was more a issue of "why" and like you said, not really trying to address a major issue.

when you say "you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment " - could you elaborate on what you mean?

We have many remote sites. and they have a cisco router on the segment at the remote site. ON that interface, one would specify "ip helper-address a.b.c.d" where a.b.c.d is the IP of the corporate DHCP server. A second ip helper for the WINS server. This causes teh router to forward any udp broadcasts it receives on that interface to the 2 servers at corporate as a unicast. I think other router vendors do this also. A MS Windows system can also be a DHCP-Relay agent, but I think that only does the DHCP forwarding and not the NBT NameService forwarding. But if there is no router, I don't know what else would work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Boilermaker is right, just seeing if you need further assistance??
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.