Site to Site VPN Windows Browsing Problem

[granty71]

I have just configured 2 Cisco PIX 515,s at 2 seperate sites. I've got Client to Site working no problem and site to site although i have 1 problem on the site to site. I cannot browse (Network Neighbourhood or net view \\servername) between the 2 sites. I can ping servers and i can also nbtstat -a servername on either site from the sites without any problems. However i can (Network Neighbourhood and net view \\servername) if i connect using Client Access at home to either site...

Any Ideas???

 

[swj38]

are you blocking netbios out of the PIX's that might explain why nbtstat works but not network browsing.

 

[routerman]

Have you set up WINS for the VPN users, there is a vpngroup command to specify the WINS server to use.

 

[granty71]

routerman: I have the following in for my wins server: vpngroup myvpn wins-server <IP_addresses of wins servers>

swj38: I'm very new to pix's and some of the config has been done by my manager whose not around at the moment, so how do i check if we're blocking netbios???

 

[granty71]

Just for more info: we're running PIX Version 6.3

 

[swj38]

To check for netbios have a look at the ACL's for traffic leaving the network (usually the list is applied inbound to your Inside interface)

You looking for something that's denying TCP/UDP port 137 to 139.

HTH

 

[granty71]

Excuse my PIX ignorance if i completely mis understand your question.
1. When you say ACL's do you mean my access-lists if so then i have nothing thats applied inbound to my inside interface.

2. All the access-lists i have only permit, i don't have any denying anything at the moment...

 

[routerman]

Regarding the WINS, I think I'm off track with my original reply, you said the problem is only for site to site. Therefore check your WINS set up, if you have one server then remote PC;s need to use that IP address in their local WINS, if you have 2 WINS servers then they need to see each other across the VPN.
You are using WINS and not DNS as in win2k??

For the ACL's if you dont have an access list bound to the inside interface then all inside users are allowed to start connections.

 

[swj38]

Yep ACL = Access-Lists

Only having permits doesn't mean your not denying, each ACL has a default deny any at the end that doesn't show up when you look at it. So if for instance you have a list that went:

Permit tcp 10.10.1.0 0.0.0.255 any eq 80
Permit tcp 10.10.1.0 0.0.0.255 any eq 25

What this would do is permit port 80 and 25 from the 10.10.1.0 network and deny eveything else.

If you have no outbound list then the other thing I think it might be is that your site to site tunnel doesn't know to encrypt the traffic to the remote network. If you turn your logging level up and then try to browse the network you'll be able to see what the PIX is doing with the packets, this will amke things clearer, it's usually best to do this at a quiet time to avoid too much spurious log information getting in the way.