Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Network neighbourhood browsing across a site to site VPN (cisco asa)

Posted on 2009-06-30
9
Medium Priority
?
1,025 Views
Last Modified: 2013-11-25
Hi,

We have a remote location that connects to our main office using a site to site VPN (established using a ASA 5520 at the main site and 5505 at the remote location). The remote location has about 10 workstations, all of which are joined to the domain. We have 2 domain controllers at the main site and no servers at the remote location. I do not have any issues at the remote site (logging into the domain, login scripts running etc) except for the fact that none of the remote stations (all XP - SP2) show up in network neighborhood. I can ping the workstation and search by their computer name just fine. I have tried to even use lmhosts on one of the workstations at the remote site without any success.

How can I get the remote workstations to show up in the network neighborhood?

Thanks!
0
Comment
Question by:netman70
9 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 24748973
Allow Microsoft Directory Services (TCP 139, 445) across the VPN. You may also need to allow NetBIOS on the VPN as well.
0
 

Author Comment

by:netman70
ID: 24750300
I don't have any ACL's applied to the tunnel - is there a specific command to allow 139,445 and NetBIOS across a site-to-site VPN tunnel? Please advise. Thanks!
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 24757495
Browsing uses Netbios over TCPIP. But unless you are using WINS, it is a broadcast technology - every machine broadcasts UDP 137 to announce their name. THe master browser on each segment listens for these and maintains a list for that segment. UDP broadcast are usually not routed across a routed interface like your ASA5505. So in order to get UDP broadcasts across a routed interface, many routers implement a UDP forwarder technique. A cisco router would have an "ip helper-address <server_ip>" statement to forward broadcasts like DHCP and UDP broadcasts. ASAs don't have that feature. Your only option is to use WINS. See this guide from cisco. It may be helpful:
http://www.cisco.com/en/US/tech/tk870/tk877/tk880/technologies_tech_note09186a00801aa01f.shtml#lanservicesbrowser
0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 

Author Comment

by:netman70
ID: 24759060
We do have a WINS server (at the main location) - like I mentioned, I even tried to use lmhosts on  a couple of workstations at the remote site, without success
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 24764951
Does WINS utility show that the remote machines are registering with WINS? They should be.
When you say none of the remote machines show up in network neighborhood, I assume you are opening a cmd prompt on a PC on the corporate LAN and issuing "net view". If you do the same command at one of the remote PCs, do you only get the list of those remote PCs (none from headquarters)?. At a remote machine, when you issue Nbtstat -r, are all of the machines resolved by broadcast or are some by Name Server (WINS)? If they are resolved by broadcast, that would confirm that you are having issues with broadcast traffic not going across a routed interface. If so, you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment you want to use to see network neighborhood.

Finally, I have to ask the question, is network neighborhood that important if everything works fine for logging into domain, connecting by machine name, mapping drives, scripting, etc? Why not just view WINS active registrations?
0
 

Author Comment

by:netman70
ID: 24766916
All valid questions and thank you for your input.

this was more a issue of "why" and like you said, not really trying to address a major issue.

when you say "you need some sort of unicast forwarder for broadcasts, and forward to the master browser on the segment " - could you elaborate on what you mean?

thanks!
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 2000 total points
ID: 24767565
We have many remote sites. and they have a cisco router on the segment at the remote site. ON that interface, one would specify "ip helper-address a.b.c.d" where a.b.c.d is the IP of the corporate DHCP server. A second ip helper for the WINS server. This causes teh router to forward any udp broadcasts it receives on that interface to the 2 servers at corporate as a unicast. I think other router vendors do this also. A MS Windows system can also be a DHCP-Relay agent, but I think that only does the DHCP forwarding and not the NBT NameService forwarding. But if there is no router, I don't know what else would work.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24984586
Boilermaker is right, just seeing if you need further assistance??
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question