Solved

Network neighbourhood browsing across a site to site VPN (cisco asa)

Posted on 2009-06-30
9
1,016 Views
Last Modified: 2013-11-25
Hi,

We have a remote location that connects to our main office using a site to site VPN (established using a ASA 5520 at the main site and 5505 at the remote location). The remote location has about 10 workstations, all of which are joined to the domain. We have 2 domain controllers at the main site and no servers at the remote location. I do not have any issues at the remote site (logging into the domain, login scripts running etc) except for the fact that none of the remote stations (all XP - SP2) show up in network neighborhood. I can ping the workstation and search by their computer name just fine. I have tried to even use lmhosts on one of the workstations at the remote site without any success.

How can I get the remote workstations to show up in the network neighborhood?

Thanks!
0
Comment
Question by:netman70
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 24748973
Allow Microsoft Directory Services (TCP 139, 445) across the VPN. You may also need to allow NetBIOS on the VPN as well.
0
 

Author Comment

by:netman70
ID: 24750300
I don't have any ACL's applied to the tunnel - is there a specific command to allow 139,445 and NetBIOS across a site-to-site VPN tunnel? Please advise. Thanks!
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 24757495
Browsing uses Netbios over TCPIP. But unless you are using WINS, it is a broadcast technology - every machine broadcasts UDP 137 to announce their name. THe master browser on each segment listens for these and maintains a list for that segment. UDP broadcast are usually not routed across a routed interface like your ASA5505. So in order to get UDP broadcasts across a routed interface, many routers implement a UDP forwarder technique. A cisco router would have an "ip helper-address <server_ip>" statement to forward broadcasts like DHCP and UDP broadcasts. ASAs don't have that feature. Your only option is to use WINS. See this guide from cisco. It may be helpful:
http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a00801aa01f.shtml#lanservicesbrowser
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:netman70
ID: 24759060
We do have a WINS server (at the main location) - like I mentioned, I even tried to use lmhosts on  a couple of workstations at the remote site, without success
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 24764951
Does WINS utility show that the remote machines are registering with WINS? They should be.
When you say none of the remote machines show up in network neighborhood, I assume you are opening a cmd prompt on a PC on the corporate LAN and issuing "net view". If you do the same command at one of the remote PCs, do you only get the list of those remote PCs (none from headquarters)?. At a remote machine, when you issue Nbtstat -r, are all of the machines resolved by broadcast or are some by Name Server (WINS)? If they are resolved by broadcast, that would confirm that you are having issues with broadcast traffic not going across a routed interface. If so, you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment you want to use to see network neighborhood.

Finally, I have to ask the question, is network neighborhood that important if everything works fine for logging into domain, connecting by machine name, mapping drives, scripting, etc? Why not just view WINS active registrations?
0
 

Author Comment

by:netman70
ID: 24766916
All valid questions and thank you for your input.

this was more a issue of "why" and like you said, not really trying to address a major issue.

when you say "you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment " - could you elaborate on what you mean?

thanks!
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 500 total points
ID: 24767565
We have many remote sites. and they have a cisco router on the segment at the remote site. ON that interface, one would specify "ip helper-address a.b.c.d" where a.b.c.d is the IP of the corporate DHCP server. A second ip helper for the WINS server. This causes teh router to forward any udp broadcasts it receives on that interface to the 2 servers at corporate as a unicast. I think other router vendors do this also. A MS Windows system can also be a DHCP-Relay agent, but I think that only does the DHCP forwarding and not the NBT NameService forwarding. But if there is no router, I don't know what else would work.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24984586
Boilermaker is right, just seeing if you need further assistance??
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot Delete Sonicwall VPN policy 5 88
Use of vpn-filter value  in S2S VPN 2 60
Cisco Anyconnect on MS Surface 12 43
VPN, Squid-  unable to log https requests 5 100
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question