From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxxxxxx)
Date: Sun Dec 10 2000 - 07:58:31 GMT-3
Hi,
Are you using NAT anywhere in the setup - NAT breaks some NetBIOS stuff,
particularly domain logons and NT trusts.
NAT meaning are you referencing the DC by a false IP address, or by it's
valid address.
If you are not using NAT, then forget about the IPSec, just think of it as a
router to router link. You will be attempting to talk to the DC using
internal addressing, so really all that is required on the remote end is
that the WINS server entries are configured correctly OR a manual LMHOSTS
entry.
-----Original Message-----
From: Jim Bond [mailto:trycisco@yahoo.com]
Sent: Friday, December 08, 2000 6:30 PM
To: smorris@mentortech.com; cisco@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: Still doesn't work: tough VPN question
Hello,
Thank you guys for the help. Unfortunately, I tried to
put LMHOST file, still doesn't work. We use WINS and I
can ping domain controller using name so I don't think
it's naming issue.
I used a sniffer captured some data, client is sending
logon request to domain controller but didn't get any
response. Looks like PIX blocks it. How do I open
it(port 137, 138, 139)?
Thanks in advance.
Jim
--- Scott Morris <smorris@mentortech.com> wrote:
> Your problem is likely the propgation of
> broadcasts... Or lack thereof.
> One thing you can do (I'm assuming you have a router
> before (LAN-side) the
> PIX) is set up an ip-helper address to forward
> UDP-level broadcasts (like
> 138/139 Netbios) to the NT server.
>
> The other thing you can do is bypass that broadcast
> thought process by using
> LMHosts files on the workstations at the branch
> office. That will pre-load
> (if you use the #PRE designation) the NetBIOS cache
> and give you IP
> addresses to go to. So if you have IP reachability,
> things will work just
> fine then.
>
> In LMHOSTS. :
>
> (ip address) (Netbios name) #PRE #DOM:(domain name
> if domain controller)
>
> Also, to refresh without rebooting the PCs, "nbtstat
> -R"
>
> Hope this helps!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Jim Bond
> Sent: Thursday, December 07, 2000 1:19 AM
> To: cisco@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: tough VPN question
>
>
> Hello,
>
> I'm trying to set up a IPSec between a PIX (branch
> office) and router (central office). All PCs at
> branch
> office share 1 ip address. IPSec seems to be working
> fine because clients can ping/telnet/email/map
> drives
> from/to central office. The problem is they can't
> logon NT domain. They can ping domain controller
> though.
>
> Any idea why they can't log on NT domain? (The
> machines were already added to domain)
>
> Thanks in advance.
>
>
> Jim
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:26:01 GMT-3