Cannot map to network share on different domain with active site to site VPN

If both sites have a DNS server, you could add conditional forwarders.  

This allows the DNS server on site A to ask the DNS server on site B for a record (and vice versa) and pass it back to the client

Hi, all, thank you for input.

Our DC is in a Datacenter, I am on a different subnet range, although this subnet range does authenticate via the domain controller in the datacenter.

So I cannot reach the share via name or IP address...

If I am on a remote server in the datacenter, I can map a drive no problem, but that ability was always there.

>>"If I am on a remote server in the datacenter"  is this the same subnet from which you are trying to do the new mapping on a PC?

If you can authenticate, (those ports are usually open), it would indicate it is not a routing issue and probably not DNS, so I would look to the specific firewall rules on the server to which you are connecting.  It may have specific subnets for file and print sharing.

What is the actual error message you get when the connection fails?

HI,
No, the office that I am in is on a different subnet to the datacenter. We authenticate to the data center domain controller, on that alternative subnet.

I can map to the data center subnet.
The data center subnet can map to the other office.
I cannot map directly to the other office though...

Definitely sounds like a firewall exception to me.

Ok, thanks Rob, can you advise what I should open on my SonicWALL side, and I will ask them to do the same at the other office?

I think the issue is the server's built-in software firewall  that is the issue not the SonicWALL. Most site to site VPNs allow all traffic unless you create rules to block it.

You "should" be able to check the status of the Windows firewall on the server and change using the simple management console; control panel | Windows firewall | Allow and app or feature though Windows firewall | File and printer sharing.
There are 3 boxes; domain, private, and public.  I suspect public is not selected, and thus limited to domain/local connections.
The better and more secure option is to use the Advanced settings and add only the remote subnet.  This is more involved as you have to locate all inbound rules pertaining to file and print. some may not be obvious.  For each rule open the properties and under the scope tab you can specify acceptable subnets, or all.  Be careful not to affect any rules that may already be in place.

The simple test however would be to temporarily disable the Windows firewall, just to see if it resolves the problem.

Hi Rob, thanks so much for your help here.
Firewall doesn't seem to be the issue. File sharing enabled on public, and not restricted to any domain.
I turned off the firewall completely, and still couldn't reach the mapping... so turned it back on, on the server.

Just to confirm: your remote site and the server site are on different subnets?  They must be different. And, what is the error you get when the connection fails?

Correct. I'm on one subnet, my server is on a second, and the mapping I'm trying to make is over to a third. I can map from my server to the third subnet, but not directly to it from my laptop.

There is something confused here
If you do have site-to-site VPN and it's working then you should be able ping anything by IP
It doesn't matter if you are in subnet 192.168.1.x and other site 10.0.1.x
Your firewall (Sonicwall) is doing routing on your gateway so all should work.

This was setup I had 3 years ago when we've moved our company from one location to other and it took 6 months co transfer all equipment and computers.

When you doing PING 10.0.1.10 from 192.168.1.10 then your rout is through gateway, and because gateway has VPN tunneling with other site, then is doing NAT between 2 subnets.

If this is not working then something in your VPN configuration must be not right.

On the beginning you've mentioned 2 sites connected, now you talking about 3rd one.
Is this third one connected via VPN to one of your site A or B ?

Hi. So all head office servers are in a data centre, including domain controller. My office has a site to site VPN to the data centre. I log in and authenticate via that site to site vpn every day. If I rdp to any server in the data centre I can map to the third location from that server. What I can't do is ping or map directly from my office to the third location.
So three sites. Sites a and b are same domain, but different subnets. Site c is different domain (and subnet).
A can reach b.
B can reach c.
A can't reach c.

If you are trying to a=>b=>c you will need to define all the routes.  Any device, PC, printer, router, or server, only knows it's own subnet and the gateway, i.e. the next hop.  If location C is not part of your default gateway subnet you need to statically define the route on the each router, as well as the return route to your PC.  Sorry I thought the server to which you were authenticating was also the one with the share.

I log in and authenticate via that site to site vpn every day.

Let say server is site A, Your network is side B and between them you have VPN, you've never specify how side C is connected and where ?
TO your location via VPN or to side A location via VPN.

If is under different domain (domain C) and you're authenticating to domain A then it's normal that you can't map drives on side C since you're not authenticated there.

You need to make triangle to make this work

You need VPN between You (side B and DC on side A) - this one you have now, also you need VPN between You and side C and between side C and Side A
but even there if you going to be authenticated to side A without trust between A and C there is no way you'll get access there or you need to do Map drive to side C using different credentials.

Hi, I cannot map a drive to the domain site, even with domain admin credentials for that site.

Neither can I ping to a server on that domain.

And yet I have an active VPN to that site.

Are you connected to Side A in same moment when you're connected to side C ?

I have the exact same situation with a different office and it is working perfectly for that office.

It's going to be hard help you since you're not answering any questions I've asked.

HI Tom, I'm sorry, but I don't understand your question, that's why I didn't attempt to answer it.

What does this mean?

"Are you connected to Side A in same moment when you're connected to side C ? "

OK, let start again

Side A =====Side B - VPN, maps to shares OK
You(side C on different subnet) =====Side A, OK via authentication, map shares OK
You(side C) ======= Side B, no communication

Like I said before. There is no dirrect ROUTE between You (side C) and Side B

You can check this by typing Route Print in CMD window.

The only way for you to be able to connect is create Rout from Your side C to Side B or establish VPN connection from your subnet to Side B

HI Tom,

"The only way for you to be able to connect is create Rout from Your side C to Side B or establish VPN connection from your subnet to Side B "

But I have said from the very first post that I have an active VPN connection from my site (C) and site B.

There is an active VPN connection from my site to Site B.
It has a green light. Connection is up.

I cannot map a drive to Site B.

Create a route from my PC to Site B might be the answer?? That sounds interesting... I will try that!

HI,

I added a route on my PC to the IP range of the site B, and although the command completed successfully, I still cannot even ping something on that range...

Can you post Ipconfig /all from your workstation (side C) when 2 VPN connecions are active ?

HI Tom,

Here is an ipconfig /all from my PC which is on site C:

Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

Q:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PCNAME
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : 192.168.1.12
                                                         8.8.8.8
                                                         8.8.4.4

Ethernet adapter Ethernet 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Sophos SSL VPN Adapter
   Physical Address. . . . . . . . . : 00-FF-66-77-E0-A2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : F0-91-1C-77-43-5C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.10.85(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 05 December 2017 09:16:29
   Lease Expires . . . . . . . . . . : 06 December 2017 09:16:29
   Default Gateway . . . . . . . . . : 192.168.10.1
   DHCP Server . . . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.1.12
                                       8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM943228HM4L 802.11a/b/g/n 2x2 WiFi Adapter
   Physical Address. . . . . . . . . : 34-AX-87-BD-47-81
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 36-55-87-BD-72-86
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 80-56-F2-D0-22-37
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Q:\>

Hm,,,

It looks like your DHCP is on your router and your DNS is from different subnet

Your IP 192.168.10.85
Your DHCP and Gateway 192.168.10.1
Your DNS 192.168.1.12

So if I understand right you router has 2 VPN connections to side A and B active now right ?
This is site-to-site VPN probably

Is this VPN is set identically for both sites ?

For me it looks like your firewall is not creating a route from your subnet to site B, this can be cause because your VPN 2 connection is not Trusted or is inactive.
Check in Sonicwall if you have 2 tunnels active

HI Tom,
The office I am in (Site C) has its own SonicWALL which hands out IP addresses in the 10.0 range.

The domain controller is in site A (which is the 1.0 subnet). That domain controller does the authentication for the office here.

So, yes, out SonicWALL in the office has two active VPN connections.
1 to the Data center, to the servers on the 1.0 range.
2 to the other office which is on a completely different subnet range (90.0)

VPN looks identical from both sides, it is also active from both sides.

How do I create a route to the 90.0 subnet from my SonicWALL here on the 10.0 subnet?

We already discussed using the IP such as \\192.168.123.123\Sharename, but I see you have Google as alternate DNS servers.  This is a definite "no no", but especially when connecting to remote sites.  DNS does not wait for the first DNS server to time out before connecting to a second.  Thus the second, Google, will likely respond first and advised it cannot resolve the name and end of session.  You should ONLY list the corporate DNS server in the DNS config, or use the IP.  Also is the PC a member of the Domain?  I see domain.local  Is that just edited for security?

Hi Rob,
I cannot map to the IP address\sharename
I removed all references to Google in the DNS for the domain controller, and re-started DNS service.
No change, unfortunately.
My pc is a member of a domain, but remember the DC that it authenticates to is located in a data center, the 1.0 subnet.

I just edited domain.local for security...

You mentioned it didn't work before, but thought it's a good idea to remove any other potential problems.  It does sound like a routing issue.  You mention Sophos VPN does it have any restrictions?  I don't know Sophos but some require you set subnets as trusted.

Does sound like a routing issue, so can you advise on setting up a direct route between the two sonicwalls (from site C to site B)?

I am afraid I am no help with SonicWALLs.  You can do it with static routes  if you have access to all the devices.

Assume:  Site A 192.168.20.x <=> VPN <=> Site B 192.168.10.x <=> VPN <=> Site C 192.168.1.x
G = IP of local VPN router

You would need static routes similar to below.  These are windows commands, you will need the VPN router commands or a GUI to achieve the same
On the site A router route -p add 192.168.1.0 mask 255.255.255.0  192.168.20.G
On the site B router route -p add 192.168.1.0 mask 255.255.255.0  192.168.10.G
On the site B router route -p add 192.168.20.0 mask 255.255.255.0  192.168.10.G
On the site C router route -p add 192.168.20.0 mask 255.255.255.0  192.168.1.G

The site B router entries may not be necessary if covered by default VPN routing

Go to system, packet monitor and enable filter for IP you want to ping, then ping -t IP on other VPN site
Check in monitor what is response from Sonicwall, if route is available and what is blocking your route

HI Tom,
On the SonicWALL, put a filter on for site B and started a capture.

Started a constant ping to that IP but it never returned a response and SonicWALL never captured anything.

If I do a tracert to the IP, it immediately returns to say "Unable to resolve target system name"

If side B has DNS or DC, try for test put this DNS IP as your secondary DNS on NIC properties and try again

HI Tom,

I tried adding the Server B DNS address in as secondary DNS on my DC, but unfortunately no change. Cannot even ping the server, never mind map a drive to it.

@Rob - adding the static routes, is that something you suggest I do on the SonicWALL here, or on the client PC. I believe I tried adding a  route yesterday on my PC, but unfortunately it made no difference.

This is very strange situation or you've missed something.
You stated you have VPN between You - side C and side B but you can't do nothing.
Are you sure VPN is working (except green lights in SonicWall ?)
Are you able to ping your network from side B (try use remote connection, vnc, teamviewer and confirm)
If not then I think you must re-design your VPN on both routers side B and side C

H Tom, it is indeed a very strange situation!!!

VPN is active, yet I cannot do anything, correct!

Again,,,, are you sure VPN is working ? did you test it from side B to C ?
If you can't do anything from side C to B then is NOT WORKING !!!

Well I can only go by the VPN indicator on the Sonicwalls, both of which tell me the VPN is UP!

Is this SonicWALL VPN indicator unreliable?

If you have problem with routing I would like to know if problem is only from your computer side C to Side B or if also from Side B to Side C
If there is 2 way communication problem then Yes, VPN is not working.

Indicator is checking only heartbeats, not real traffic.

Both ways, Tom. I cannot ping or map from my side C to side B, and also from side B I cannot ping or map back to here...

Then I think your VPN is not working.
Try disable this VPN connection and since you have access to both sides via some remote software create new VPN tunnel between side B and C from scratch. In SonicWall there is a Wizard that will help you with this task and it's very easy to setup Site-to-Site VPN

Ping is not really a good test as at least Windows devices do not enable the firewall ping exception by default.
I am also wondering if at log on it is not actually authenticating but rather using cached credentials which will work even with the network cable disconnected.

PS- does    \\IP_of_domain_controller\NETLOGON  display anything

Rob,,, he have said

If I do a tracert to the IP, it immediately returns to say "Unable to resolve target system name"

It looks like there is no active VPN or something is messing up with his route

Gents,

I have logged on to my laptop as different user, who has not logged on to my laptop before so definitely not on cached credentials, and that account could not ping or map.

 \\IP_of_domain_controller\NETLOGON  brought me to folder with all the login scripts for my domain

Like I said before, if you can;t trace route from Side B to you laptop IP on side C, then for 99% VPN is not working or is set with error

OK, I deleted the VPN.

Used the wizard to re-create it.

VPN was down!

Went into settings, and saw that the wizard had made the VPN aggressive mode.
Changed this to main mode.

VPN came up immediately, with big green light.

>" \\IP_of_domain_controller\NETLOGON  brought me to folder with all the login scripts for my domain "
Then the VPN is up and running.
Tracert will not work if Pings are blocked

Rob, I was on my own laptop, logged on to my own domain,  \\IP_of_domain_controller\NETLOGON  brought me to my own server.

When I run that command for the remote domain IP I get "Network access id denied"

There is an option to Disable (not delete) VPN.
Can you for test only disable VPN to your main office A, then check if you going to be able PIN Office B one of IP address ? Also try connect from B to C

Hi, no luck unfortunately.
I spoke with sonicwall support. They said other office has NAT rules applied for the VPN which aren't necessary. I have asked admin on their end to remove, and we'll see if that helps...

Site-to-Site VPN should have NAT disable by definition.
If you're using Wizard to create Site-to-Site VPN, NAT is disabled for default

Hi Tom, I did not have NAT enabled on my side, do you agree that this is likely to be the problem? If so, happy to close question...

Yes, because if you trying PING let say 10.0.1.10 (server on site B) and this IP is not present on other end of VPN because of NAT then you not going to be able PING are access IP you want.

That's why I asked you if VPN settings are correct

This was always trickier because I could only see one sonicwall, I am grateful for all troubleshooting, and will close now...

Glad to hear you resolved.  Thanks mewtd.
Cheers!