Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
3
Replies

ASA to ASA VPN - can auth to Win2003 domain but can't browse remote LAN

miked
Level 1
Level 1

‎07-11-2011 12:38 PM

I have an ASA 5510 with about 30 users behind it (I'll call this site HQ) and an ASA 5505 with about 10 users behind it (I'll call this the remote site). They are setup with a site to site VPN between them.

The users at the remote site need to join the domain at HQ and the two networks need to talk to each other for application data as well as remote network administration.

I added the WINS server and domain/FQN attributes for the clients in . The domain controller/WIN server are in the HQ network. I am able to join the remote site PC's to the domain, no problem. I see the WIN server in ipconfig, and I see the correct LOGON SERVER when I run the "set" command.

With the VPN up I can ping, rdp, etc...between the two network by IP. But browsing Network Neighborhood times out. And trying to adminster security on the PC's doesn't work either because I can't "browse the domain". Also, ping or rdp by name doesn't work at all either.

So, network and IP wise it all works fine, but the Windows network portion is not working. I know I've have this working at other sites but don't recall anything  special that needed to be done other than the WIN server info.

Is there any special selections in the ASA gui or commands that need to be added for the network browsing by name to work? Or is there something I'm missing? (Yes, I know...it's a Microsoft Network...but it's my clients network not mine, and I'd like to get it working for them)

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-11-2011 09:59 PM

You are right, as far as the ASA is concern, there is nothing specific that needs to be enabled for network browsing by name, or wins resolution as ASA just works on the IP layer.

I am assuming that if there is any access-list applied on the inside interfaces of each ASA, they are allowing HQ subnet to remote subnet and vice versa.

From the sounds of things, you are not able to resolve name using WINS, so you might want to check/troubleshoot on the specific.

When you perform an NSLOOKUP from the remote end, i gather that it doesn't work with just the name, what about the FQDN name instead of the a hostname, does that resolve? if it does, then you might want to configure the domain name as the suffix so it uses DNS instead of WINS.

0 Helpful

miked
Level 1
Level 1
In response to Jennifer Halim

‎07-12-2011 09:28 AM

Thanks for the reply.

I have set the domain suffix. I can't resolve the names even by the FQN, although I tested through the Windows "search comupters" tool. I also used full the full domain path with no luck. I'll it using nslookup to see if basic resolution is working.

SIDE NOTE the clients at the remote site used to connect to the HQ network using a VPN Client. I'm setting up this site 2 site VPN so they don't have to go through using the VPN client. Maybe there is something in that config on the HQ side that's messing it up. I verified there weren't any double routes going on but if they connect with the VPN client they get on and can browse and do everything they should be able to.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to miked

‎07-25-2011 10:45 AM

Hi,

can you enable logging at debugging level on the ASA 5505 and 5510 and see if you are seeing any drops when accessing by names?

Regards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents