NetBIOS over IPSEC, driving me buggy!

Unanswered Question
Mar 16th, 2009

So I have an ASA in a little abnormal setup.

The site has a managed router far down stream and my only option for VPN is to have a static translated to my ASA.

My ASA has only one interface plugged in, inside. Things seem to work great, I can ping things, connect to them via RDP, etc. However, I for the life of me cannot map a windows drive.

So the inside address is, the pool is in the same range (, and the server I'm trying to map is at

Attached is my config, if anyone has some time it would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
w-schultz Tue, 03/17/2009 - 06:35

Appreciate the response!

Couple of things I should have noted... NetBIOS over TCP is enabled, however there is no AD Domain, internal DNS or internal WINS. I can definitely hit the server in question on tcp.445 via nmap and telnet, but the NetBIOS request does not make it back. I can see in the asa logs that the connection is built and torn down, however the mapping of drives will fail every time.

w-schultz Tue, 03/17/2009 - 06:44

And yet more info that I've left out, I am attempting to map via IP address. Mapping of the drive, via IP, works okay on the LAN.

The ASA logs don't show anything abnormal. The packet trace tool, however, shows 'ip spoof detected'. This is shown for protocols that work, for example RDP.3389, as well.

w-schultz Tue, 03/17/2009 - 07:06

I should also let you know, I've also tried changing the pool addresses to a different range, 192.168.100 for example, and running a nat0 config to those. Again regular tcp services work but no NetBIOS.

I've also attempted to run the different pool range through a global, and still the same result.

I've got a feeling it's got something to do with the single interface configuration but I can't seem to pinpoint it, and it's driving me nuts :-)

w-schultz Tue, 03/17/2009 - 22:46

We're going to put in a test AD server tomorrow, running DNS and WINS. See if that works...

Thanks for the time.

w-schultz Mon, 03/30/2009 - 05:31

Just fyi, looks like this is identified under CSCsu26649

Disabled compression (ip-comp disable) and things seem to work.


This Discussion