Announcement

Collapse
No announcement yet.

Map drives doesn't work using VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Map drives doesn't work using VPN

    Hello,

    I have SBS 2003 server .
    Some users have a laptop.
    When the users use a VPN to access the network we thier laptops
    the map drives (shares folders in the network) are empty ( 0 files)
    They don't see the files in it, although they receive a local IP address and they can use RD to other computers in the network.

    I tried to use IP instead of server-name, when I use the "MAP" to rule out DNS problem, but it didn't help.

    b.t.w
    I use to have CISCO 506e pix .Now our ISP replaced it with pix 501 , because of malfunction, but the problem continues.

    I'll be glad to receive your help on this matter.
    Thanks,
    Amit

  • #2
    Re: Map drives doesn't work using VPN

    hi Amit,

    What kind of VPN are we talking about? PPTP, IPSEc...?

    what brings up the tunnel in your VPN? I mean: are you specifying an IP access-list, or are you using some TCP/UDP protocols?

    If its just an IP access-list, and you are satisfied you have full IP connectivity (Layer 3); ie, you can ping everything across both sides that you would expect to, I would have a look at the client settings and make sure all is well there.

    If its more restrictive- ie, TCP and UDP access-lists are used to 'refine' the interesting traffic, then you might have to expand things to permit the protocols needed for 'map drives' to work. I think this still uses NETBIOS- anyone else know?

    Why dont you grab your config, sanitise it and post it here? And a summary of your client settings would also help.

    regards,

    theterranaut

    Comment


    • #3
      Re: Map drives doesn't work using VPN

      theterranaut thanks for your help.

      I'm using Cisco VPN client ( 4. to connect to my work we have "fix IP" .
      In the "Transport" TAb of the client software it set to " IPsec over UDP "
      (I'm not sure how it suppose to be or what configuration my router require)

      but if I change it to IPSEC over TCP - It's doesn't manage to connect at all.

      Once a user is connected to the VPN both sides are manage to "PING" one another.

      I hope I manage to understand your questions - Since I'm not familiar with this network configuration - thank you for your patient .

      thanks in advance

      Comment


      • #4
        Re: Map drives doesn't work using VPN

        Thanks Aarek,

        Over UDP should be fine.

        Can you find the config for the PIX and post it here? A sketch of your topology would be useful as well.

        regards

        theterranaut

        Comment


        • #5
          Re: Map drives doesn't work using VPN

          Hello theterranaut

          Thank you again for your help.
          Besides the books I have here I found link to the pix web site:
          http://www.cisco.com/en/US/products/...080091b18.html.

          Regarding our network:
          We have only one server - SBS 2003 that function both as a DC + file server.
          Although we have EX , the server is not "publish as the world" and users are download their e-mails directly from the ISP.
          Everybody have Win XP + 2-3 computers with Win 2000. (no other OS except one MAC).

          Basically that's it - nothing unique.

          Thanks again

          Comment


          • #6
            Re: Map drives doesn't work using VPN

            Thanks Aarek,

            Do you think you could manage to let me see the config on your PIX?

            regards,

            theterranaut

            Comment


            • #7
              Re: Map drives doesn't work using VPN

              Hi ,
              I have a user to access to my PIX - ( only read permission) with internal IP address , but I couldn't use it at the moment even for just take some snapshots.

              I will talk with my ISP to figure it out.

              Thanks

              Comment


              • #8
                Re: Map drives doesn't work using VPN

                Have the laptops members of the SBS network ( /connectcomputer)

                I have had similar issues with the Windows PPTP client because the DNS in the client was using the local DNS when it should have been pointed the the local IP of the SBS server.

                Just an idea.
                Network Engineers do IT under the desk

                Comment


                • #9
                  Re: Map drives doesn't work using VPN

                  RobW - thanks
                  Yes all the computers are members of the domain = all have them log into the DOMAIN_name (at home they do the same as if they are still at the network- same user , same pass , and the domain name)

                  Do I have to change anythink in the DNS ?
                  I've look at the "forwarders" tab at the DNS configuration and the IP address there are belong to our ISP. should I had our internal IP address of the SBS server ?

                  thanks.

                  Comment


                  • #10
                    Re: Map drives doesn't work using VPN

                    In my office I have a Netscreen 5GT appliance and Windows Server 2003, not SBS. My Dell notebook is a member of my domain and my startup script maps three drives when the notebook is plugged into my network.
                    My notebook also has the Netscreen Remote VPN client (IPSec) that connects to my Netscreen 5GT.

                    When I am away from my network with my notebook, I log on to my notebook using cached credentials. I receive an error that all my network drives could not be connected. This only stands to reason because I have to log on to the notebook before I can initiate a VPN connection. Once I have logged on, I make a VPN connection with my Netscreen client. If I double-click on one of my disconnected network drives, it asks me to authenticate, connects, and then I can see all my files.

                    On an SBS network I do it differently for road warriors. I set RRAS to answer PPTP VPN requests. On the router for the SBS server I forward port 1723 to the SBS server.

                    On the notebook I create a PPTP VPN network connection in either XP of Win2k. This is built in to Windows. In the TCP/IP properties of the VPN connection I make sure the DNS points to the local IP address of the SBS server.
                    When you log on using your notebook and you are at the logon window, check the box to log on using dialup. This will bring up a window allowing you to make the VPN connection first before you log on to Windows on your notebook.

                    With this method, remote locations can still make an IPSec VPN connection to your Cisco, and your road warriors can connect directly to your SBS server, not your Cisco box.
                    Network Engineers do IT under the desk

                    Comment


                    • #11
                      Re: Map drives doesn't work using VPN

                      Dear friends,
                      I've just spoke with technical assistance of our ISP -
                      He raised a question that I didn't have an answer : (and maybe understanding that will help me find the solution to my problem)

                      He claimed that once user is login to his computer (Laptop) before he uses the VPN - he didn't log to the DC yet.
                      The PIX can only give him an IP address not conformation to access to DC...

                      and this is the reason way it doesn't work....
                      RobW- mention the same situation - but is dialup will solve it or I should change more settings ?

                      Thanks

                      Comment


                      • #12
                        Re: Map drives doesn't work using VPN

                        Hi Aarek,

                        I cant see this being the problem (unless there's some domain policy that prevents it.)

                        As RobW has said, if the machines in question are domain members, and their credentials have not expired, they should be able to:

                        1)power up
                        2)log on with 'cached' domain credentials
                        3)connect to your pix via vpn
                        4)connect to their permitted resources

                        And if you are lucky, they might even be able to change passwords over the vpn. I know this works; I am currently typing this while connecting over a vpn to my corporate internet proxy doing exactly as above!


                        I might be missing something here, so can you tell me/us:

                        -does the PIX have a local authentication database its using, or are you handing off authentication to some kind of RADIUS server (ie, IAS on your SBS Server)
                        -is the PIX pushing out any kind of firewall policy to the client that you know of?
                        -when was the last time the machines actually connected via a LAN, as I gather that sometimes Kerberos can get broken if it does not 'see' a machine for a period of time.
                        -when connected via vpn, do you get a 'local' LAN IP (ie, one from your core network) or another network entirely?

                        Things I would try are:
                        1)Bring a machine in from the cold and make sure it can connect to the required resources locally (ie, on your LAN.) This will rule out some underlying issue with domain privileges

                        2)A bit more involved, but, while connected to the vpn, do a portscan on the SBS server and see what its presenting to you. I would think you need to see the relevant Windows ports that negotiate permissions and privileges. For example, our internal DC shows me:

                        "42 nameserver" Open
                        "53 domain" Open
                        "88 kerberos" Open
                        "135 epmap" Open
                        "139 netbios-ssn" Open
                        "389 ldap" Open
                        "445 microsoft-ds" Open
                        "464 kpasswd" Open
                        "593 http-rpc-epmap" Open
                        "636 ldaps" Open
                        "1025 blackjack" Open
                        "1026 cap" Open
                        "1045 fpitp" Open
                        "1052 ddt" Open
                        "1055 ansyslmd" Open
                        "1058 nim" Open
                        "1068 instl_bootc" Open
                        "1071 bsquare-voip" Open
                        "1079 asprovatalk" Open
                        "2301 cpq-wbem" Open
                        "2381 compaq-https" Open
                        "3268 msft-gc" Open
                        "3269 msft-gc-ssl" Open
                        "3372 tip2" Open
                        "3389 ms-wbt-server" Open
                        "8402 abarsd" Open
                        "8400 cvd" Open

                        HTH-

                        theterranaut
                        Last edited by theterranaut; 20th November 2006, 18:05.

                        Comment


                        • #13
                          Re: Map drives doesn't work using VPN

                          thanks theterranaut,

                          I'll try to answer:
                          Yesterday evening I was online with the ISP support from home in order to move things up using the VPN and here is what I learn.
                          once you connected to the PIX you been given an IP address that starts with 172.16.X.X with subnet 255.255.0.0 (not the same as our local one - 192.168.0.1 with subnet 255.255.255.0 - class C )

                          -The Pix is handle by the ISP.
                          - according to the guy of the support once you connected you can work freely
                          although he still insist that the DC is not involve yet so this is the reason I don't have permissions.
                          - the laptops are connected to the network almost on a daily bases (we are talkink about workaholics that continues to work at home.)

                          is that possible to check the credentials ?

                          one last thing - while I was on the phone with this guy we manage to create new map drive like this : right click on the "My Network Places" - writing the \\server-IP address\share
                          and then connect using a diffrent name ..
                          It works like that - but the problem - all my maps are working with script running from the server when users are log in to the network.
                          Now I was thinking maby to create them login script that they can activate at home once they are connected to th VPN....

                          Thanks

                          Comment


                          • #14
                            Re: Map drives doesn't work using VPN

                            Thanks Aarek, all of that is very useful.

                            "Yesterday evening I was online with the ISP support from home in order to move things up using the VPN and here is what I learn.
                            once you connected to the PIX you been given an IP address that starts with 172.16.X.X with subnet 255.255.0.0 (not the same as our local one - 192.168.0.1 with subnet 255.255.255.0 - class C )"

                            Thats fine, shouldn't make any difference.

                            "-The Pix is handle by the ISP.
                            - according to the guy of the support once you connected you can work freely
                            "although he still insist that the DC is not involve yet so this is the reason I don't have permissions."

                            You DO have permissions. I think he's wrong! These laptops have both machine and user accounts within the domain. The machine account will not authenticate in the manner it will on a LAN, but the user account will.


                            "- the laptops are connected to the network almost on a daily bases (we are talkink about workaholics that continues to work at home.)

                            is that possible to check the credentials ?"

                            Brilliant, so we know they work.

                            "one last thing - while I was on the phone with this guy we manage to create new map drive like this : right click on the "My Network Places" - writing the \\server-IP address\share
                            and then connect using a diffrent name ..
                            It works like that - but the problem - all my maps are working with script running from the server when users are log in to the network.
                            Now I was thinking maby to create them login script that they can activate at home once they are connected to th VPN...."

                            I see, so you can map to a resource using a UNC path.

                            I'm wondering if this is something to do with the way the 'Map Network Drives' mechanism works in Windows. As I'd said in an earlier post, I'm sure this still uses Netbios, which, IIRC, is broadly broadcast-based (anyone else care to step in here?) method. The PIX is handing out a routable IP address to your users, but only in the sense that, if the PIX wasn't there and the VPN was down, this 'routed link' would not exist. And, of course, routers in the main stop broadcasts...

                            I will investigate the issue further, but I've a hunch that this is what is happening, if you can connect via UNC.

                            theterranaut

                            Comment


                            • #15
                              Re: Map drives doesn't work using VPN

                              Hi theterranaut,
                              You don't how I'm appreciate for your help and patience... Thanks a lot.

                              At the moment I will define for every user who need VPN access a Map according to we mention here , hopefully in the future I'll find a better way.
                              The important thing that the users will have a solution.

                              Thanks again for all your help and to RobW

                              Comment

                              Working...
                              X