cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
0
Helpful
10
Replies

NetBIOS over IPSEC, driving me buggy!

w-schultz
Level 1
Level 1

So I have an ASA in a little abnormal setup.

The site has a managed router far down stream and my only option for VPN is to have a static translated to my ASA.

My ASA has only one interface plugged in, inside. Things seem to work great, I can ping things, connect to them via RDP, etc. However, I for the life of me cannot map a windows drive.

So the inside address is 10.0.246.10, the pool is in the same range (10.0.246.40-49), and the server I'm trying to map is at 10.0.246.1.

Attached is my config, if anyone has some time it would be appreciated.

10 Replies 10

andrew.prince
Level 10
Level 10

NetBios is urouteable via IP. You need to enable NetBios over TCP on the windows machines, and if you have a WINS server that would also help.

HTH>

Appreciate the response!

Couple of things I should have noted... NetBIOS over TCP is enabled, however there is no AD Domain, internal DNS or internal WINS. I can definitely hit the server in question on tcp.445 via nmap and telnet, but the NetBIOS request does not make it back. I can see in the asa logs that the connection is built and torn down, however the mapping of drives will fail every time.

Well there is your issue - how do you expect it to resolve anything if there is no AD/DNS - you have to have a name to IP resolution

Add the server name in the local host file on the machine - this will work.

Or just map the drive using the IP address instead of the name.

HTH>

And yet more info that I've left out, I am attempting to map via IP address. Mapping of the drive, via IP, works okay on the LAN.

The ASA logs don't show anything abnormal. The packet trace tool, however, shows 'ip spoof detected'. This is shown for protocols that work, for example RDP.3389, as well.

I should also let you know, I've also tried changing the pool addresses to a different range, 192.168.100 for example, and running a nat0 config to those. Again regular tcp services work but no NetBIOS.

I've also attempted to run the different pool range through a global, and still the same result.

I've got a feeling it's got something to do with the single interface configuration but I can't seem to pinpoint it, and it's driving me nuts :-)

can you access the share on the server from a machine local to the server i.e not over the WAN/VPN?

Yes, on the LAN things work well...

If it works ok with IP then try editing your local host file of the machine which you trying to access.You can also make entry of the same on source machine too.That would definitely work.

We're going to put in a test AD server tomorrow, running DNS and WINS. See if that works...

Thanks for the time.

Just fyi, looks like this is identified under CSCsu26649

Disabled compression (ip-comp disable) and things seem to work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: