Network neighbourhood browsing across a site to site VPN (cisco asa)

Posted on 2009-06-30
Last Modified: 2013-11-25

We have a remote location that connects to our main office using a site to site VPN (established using a ASA 5520 at the main site and 5505 at the remote location). The remote location has about 10 workstations, all of which are joined to the domain. We have 2 domain controllers at the main site and no servers at the remote location. I do not have any issues at the remote site (logging into the domain, login scripts running etc) except for the fact that none of the remote stations (all XP - SP2) show up in network neighborhood. I can ping the workstation and search by their computer name just fine. I have tried to even use lmhosts on one of the workstations at the remote site without any success.

How can I get the remote workstations to show up in the network neighborhood?

Question by:netman70
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Expert Comment

ID: 24748973
Allow Microsoft Directory Services (TCP 139, 445) across the VPN. You may also need to allow NetBIOS on the VPN as well.

Author Comment

ID: 24750300
I don't have any ACL's applied to the tunnel - is there a specific command to allow 139,445 and NetBIOS across a site-to-site VPN tunnel? Please advise. Thanks!

Expert Comment

ID: 24757495
Browsing uses Netbios over TCPIP. But unless you are using WINS, it is a broadcast technology - every machine broadcasts UDP 137 to announce their name. THe master browser on each segment listens for these and maintains a list for that segment. UDP broadcast are usually not routed across a routed interface like your ASA5505. So in order to get UDP broadcasts across a routed interface, many routers implement a UDP forwarder technique. A cisco router would have an "ip helper-address <server_ip>" statement to forward broadcasts like DHCP and UDP broadcasts. ASAs don't have that feature. Your only option is to use WINS. See this guide from cisco. It may be helpful:
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24759060
We do have a WINS server (at the main location) - like I mentioned, I even tried to use lmhosts on  a couple of workstations at the remote site, without success

Expert Comment

ID: 24764951
Does WINS utility show that the remote machines are registering with WINS? They should be.
When you say none of the remote machines show up in network neighborhood, I assume you are opening a cmd prompt on a PC on the corporate LAN and issuing "net view". If you do the same command at one of the remote PCs, do you only get the list of those remote PCs (none from headquarters)?. At a remote machine, when you issue Nbtstat -r, are all of the machines resolved by broadcast or are some by Name Server (WINS)? If they are resolved by broadcast, that would confirm that you are having issues with broadcast traffic not going across a routed interface. If so, you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment you want to use to see network neighborhood.

Finally, I have to ask the question, is network neighborhood that important if everything works fine for logging into domain, connecting by machine name, mapping drives, scripting, etc? Why not just view WINS active registrations?

Author Comment

ID: 24766916
All valid questions and thank you for your input.

this was more a issue of "why" and like you said, not really trying to address a major issue.

when you say "you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment " - could you elaborate on what you mean?


Accepted Solution

Boilermaker85 earned 500 total points
ID: 24767565
We have many remote sites. and they have a cisco router on the segment at the remote site. ON that interface, one would specify "ip helper-address a.b.c.d" where a.b.c.d is the IP of the corporate DHCP server. A second ip helper for the WINS server. This causes teh router to forward any udp broadcasts it receives on that interface to the 2 servers at corporate as a unicast. I think other router vendors do this also. A MS Windows system can also be a DHCP-Relay agent, but I think that only does the DHCP forwarding and not the NBT NameService forwarding. But if there is no router, I don't know what else would work.
LVL 39

Expert Comment

ID: 24984586
Boilermaker is right, just seeing if you need further assistance??

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question