netbios printing over internet stopped working after putting in 520

[yert33]

We use Citrix for an accounting application. The terminal servers are in Houston. Remote locations include Dallas and LA.
Local network printers (at the remote location LAN's) are defined on the terminal servers as in \\xx.xx.xx.xx\PrinterShareName. The accounting app then can print to these printers. This has been working fine for years.

I deployed a PIX 520 at the Dallas location and discovered that I had to open up netbios ports in order for the printers to work. Fine.

Then used the same PIX config at the LA location and cannot "see" these terminal server printers. On the terminal server, going to Settings: Printers, these printers say "Opening.." and never say Ready. Unlike Dallas which has worked fine.

I'm posting the LA PIX config below. All the xx.xx.xx. addresses are local to the LA LAN. The yy.yy.yy. addresses are the terminal server addresses in Houston.

I even tried using an "access-list acl_out permit tcp any any" (and udp, too) last night thinking I would open up everything, but it didn't change a thing.

I'm even willing to enter into a paying situation (hope this isn't against Tek-Tip rules...) if someone can solve this for us.

Thanks in advance.....

ala# show config
: Saved
: Written by enable_15 at 00:15:52.500 UTC Thu Mar 25 2004
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security4
nameif ethernet3 dmz2 security6
enable password blahblah encrypted
passwd blahblah encrypted
hostname ala
domain-name domain.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list compiled
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xx.xx.xx.3 eq pcanywhere-data
access-list acl_out permit udp any host xx.xx.xx.3 eq pcanywhere-status
access-list acl_out permit tcp any host xx.xx.xx.3 eq smtp
access-list acl_out permit tcp any host xx.xx.xx.3 eq lotusnotes
access-list acl_out permit tcp any host xx.xx.xx.3 eq www
access-list acl_out permit udp any host xx.xx.xx.3 eq 80

access-list acl_out permit tcp any host xx.xx.xx.5 eq pcanywhere-data
access-list acl_out permit udp any host xx.xx.xx.5 eq pcanywhere-status
access-list acl_out permit tcp any host xx.xx.xx.5 eq smtp
access-list acl_out permit tcp any host xx.xx.xx.5 eq lotusnotes
access-list acl_out permit tcp any host xx.xx.xx.5 eq www
access-list acl_out permit udp any host xx.xx.xx.5 eq 80

access-list acl_out permit tcp host yy.yy.yy.70 host xx.xx.xx.3 eq 137
access-list acl_out permit udp host yy.yy.yy.70 host xx.xx.xx.3 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.70 host xx.xx.xx.3 eq 138
access-list acl_out permit udp host yy.yy.yy.70 host xx.xx.xx.3 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.70 host xx.xx.xx.3 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.70 host xx.xx.xx.3 eq 139

access-list acl_out permit tcp host yy.yy.yy.73 host xx.xx.xx.3 eq 137
access-list acl_out permit udp host yy.yy.yy.73 host xx.xx.xx.3 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.73 host xx.xx.xx.3 eq 138
access-list acl_out permit udp host yy.yy.yy.73 host xx.xx.xx.3 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.73 host xx.xx.xx.3 eq netbios-s
access-list acl_out permit udp host yy.yy.yy.73 host xx.xx.xx.3 eq 139

access-list acl_out permit tcp host yy.yy.yy.79 host xx.xx.xx.3 eq 137
access-list acl_out permit udp host yy.yy.yy.79 host xx.xx.xx.3 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.79 host xx.xx.xx.3 eq 138
access-list acl_out permit udp host yy.yy.yy.79 host xx.xx.xx.3 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.79 host xx.xx.xx.3 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.79 host xx.xx.xx.3 eq 139

access-list acl_out permit tcp host yy.yy.yy.80 host xx.xx.xx.3 eq 137
access-list acl_out permit udp host yy.yy.yy.80 host xx.xx.xx.3 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.80 host xx.xx.xx.3 eq 138
access-list acl_out permit udp host yy.yy.yy.80 host xx.xx.xx.3 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.80 host xx.xx.xx.3 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.80 host xx.xx.xx.3 eq 139

access-list acl_out permit tcp host yy.yy.yy.82 host xx.xx.xx.3 eq 137
access-list acl_out permit udp host yy.yy.yy.82 host xx.xx.xx.3 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.82 host xx.xx.xx.3 eq 138
access-list acl_out permit udp host yy.yy.yy.82 host xx.xx.xx.3 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.82 host xx.xx.xx.3 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.82 host xx.xx.xx.3 eq 139

access-list acl_out permit tcp host yy.yy.yy.70 host xx.xx.xx.5 eq 137
access-list acl_out permit udp host yy.yy.yy.70 host xx.xx.xx.5 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.70 host xx.xx.xx.5 eq 138
access-list acl_out permit udp host yy.yy.yy.70 host xx.xx.xx.5 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.70 host xx.xx.xx.5 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.70 host xx.xx.xx.5 eq 139

access-list acl_out permit tcp host yy.yy.yy.73 host xx.xx.xx.5 eq 137
access-list acl_out permit udp host yy.yy.yy.73 host xx.xx.xx.5 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.73 host xx.xx.xx.5 eq 138
access-list acl_out permit udp host yy.yy.yy.73 host xx.xx.xx.5 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.73 host xx.xx.xx.5 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.73 host xx.xx.xx.5 eq 139

access-list acl_out permit tcp host yy.yy.yy.79 host xx.xx.xx.5 eq 137
access-list acl_out permit udp host yy.yy.yy.79 host xx.xx.xx.5 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.79 host xx.xx.xx.5 eq 138
access-list acl_out permit udp host yy.yy.yy.79 host xx.xx.xx.5 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.79 host xx.xx.xx.5 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.79 host xx.xx.xx.5 eq 139

access-list acl_out permit tcp host yy.yy.yy.80 host xx.xx.xx.5 eq 137
access-list acl_out permit udp host yy.yy.yy.80 host xx.xx.xx.5 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.80 host xx.xx.xx.5 eq 138
access-list acl_out permit udp host yy.yy.yy.80 host xx.xx.xx.5 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.80 host xx.xx.xx.5 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.80 host xx.xx.xx.5 eq 139

access-list acl_out permit tcp host yy.yy.yy.82 host xx.xx.xx.5 eq 137
access-list acl_out permit udp host yy.yy.yy.82 host xx.xx.xx.5 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.82 host xx.xx.xx.5 eq 138
access-list acl_out permit udp host yy.yy.yy.82 host xx.xx.xx.5 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.82 host xx.xx.xx.5 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.82 host xx.xx.xx.5 eq 139

access-list acl_out permit tcp host yy.yy.yy.74 host xx.xx.xx.3 eq 137
access-list acl_out permit udp host yy.yy.yy.74 host xx.xx.xx.3 eq netbios-ns
access-list acl_out permit tcp host yy.yy.yy.74 host xx.xx.xx.3 eq 138
access-list acl_out permit udp host yy.yy.yy.74 host xx.xx.xx.3 eq netbios-dgm
access-list acl_out permit tcp host yy.yy.yy.74 host xx.xx.xx.3 eq netbios-ssn
access-list acl_out permit udp host yy.yy.yy.74 host xx.xx.xx.3 eq 139

access-list acl_out permit udp any host xx.xx.xx.3 eq 1604
access-list acl_out permit tcp any host xx.xx.xx.3 eq 1604
access-list acl_inside permit udp any any
access-list acl_inside permit tcp any any
access-list acl_inside permit icmp any any
pager lines 24
logging timestamp
logging console errors
logging trap informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
ip address outside xx.xx.xx.4 255.255.255.240
ip address inside 192.168.1.4 255.255.255.0
ip address dmz1 192.168.2.4 255.255.255.0
ip address dmz2 192.168.3.4 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz1
no failover ip address dmz2
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.14 netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.2 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.3 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.5 192.168.1.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.170 inside
dhcpd dns 168.215.165.186 216.136.33.82
dhcpd lease 82800
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

 

[dopehead]

Hmm, i can't help you there.....but printing using netbios over the internet ? kinda dangerous, also because those ports are used for everything MS and not just printing.

You really should look into VPN's

Just my 2 cents.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[yert33]

Actually we are looking at doing this now... just a matter of education!

Thanks.