PIX to PIX VPN error 'No domain server available...'

gzullich · ‎01-21-2004

Hi, hope some on may shed some light on my problem...

I have set up a PIX to PIX VPN and am unable to logon to the domain.

The tunnel works as I can ping both ways and load intranet web pages however I cannot map a drive and the error is “No Domain server is available etc…“

When I run the ‘Set’ command the LogonServer is listed as the local machine name.

Background:

I am replacing a private leased L2 ADSL connection with a faster IP link.

Previously there had been 1 subnet (192.168.1.0) between the two sites and a PIX-506 at the Main site providing internet connections for all.

I have taken the 506 to the 2nd office and replaced it with a 515e in the Main office and setup the VPN at the 2nd site (506), with a 192.168.2.0 subnet (to save on addresses) and will have the PIX do DHCP.

I have added NAT translation exemptions with no effect, can I make this connection transparent to Windows RPC?

My Configs:

Main Site:

: Saved

: Written by enable_15 at 01:37:01.116 CST Wed Jan 21 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXX encrypted

passwd xxxxxxxxx encrypted

hostname PIX515

domain-name blah.local

clock timezone CST -6

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.2.0 Albert

access-list acl_out permit gre any any

access-list acl_out permit tcp host XXX.XXX.XXX.XXX any eq XXXX

access-list 101 permit ip 192.168.1.0 255.255.255.0 Albert 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Albert 255.255.255.0

access-list outside_inbound_nat0_acl permit ip Albert 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging trap alerts

logging device-id hostname

logging host inside 192.168.1.161

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 192.168.1.240-192.168.1.250

pdm location 192.168.1.88 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list outside_inbound_nat0_acl outside

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface XXX 192.168.1.X 3389 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 66.11.70.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.88 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 66.22.22.22

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ****** address 66.22.22.22 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.1.2 255.255.255.255 inside

telnet 192.168.1.88 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 10

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username test password ********

vpdn enable outside

terminal width 80

Cryptochecksum:xxxx

: end

2nd Office:

: Saved

: Written by enable_15 at 01:37:01.116 CST Wed Jan 21 2004

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password Q encrypted

passwd Q encrypted

hostname PIX515

domain-name blah.local

clock timezone CST -6

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 192.168.2.0 Albert

access-list acl_out permit gre any any

access-list acl_out permit tcp host xxx.xxx.xxx.xxx any eq XXX

access-list 101 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 Albert 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Albert 255.255.255.0

access-list outside_inbound_nat0_acl permit ip Albert 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

logging trap alerts

logging device-id hostname

logging host inside 192.168.1.161

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 192.168.1.240-192.168.1.250

pdm location 192.168.1.88 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list outside_inbound_nat0_acl outside

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface xxx 192.168.1.X 3389 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 66.11.11.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.88 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 66.22.22.22

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ****** address 66.22.22.22 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.1.2 255.255.255.255 inside

telnet 192.168.1.88 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 10

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.1.2

vpdn group 1 client configuration wins 192.168.1.2

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username test password ********

vpdn enable outside

terminal width 80

Cryptochecksum:xxxxx

: end

mostiguy · ‎01-22-2004

In the second office, are the client pcs getting the wins and dns settings via DHCP? Are you running an internal wins and dns server at the main office?

gzullich · ‎01-22-2004

Hi Thanks for the reply, I all the config is now static IP all static now as I was planning to have the remote PIX handle that once the link worked.

I am running W2k Server and DNS at the main site and there is presently no scope for the remote site (192.168.2.0)

Here is the second remote onfig as I posted the same one 2x

: Saved

: Written by enable_15 at 10:06:22.042 CST Wed Jan 21 2004

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname PIX506

domain-name blah.local

clock timezone CST -6

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.2.0 Main

name 192.168.1.0 MainSt

access-list acl_out permit gre any any

access-list acl_out permit tcp host 205.200.72.156 any eq telnet

access-list 101 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 101 permit ip host Main host MainSt

access-list outside_cryptomap_20 permit ip Main 255.255.255.0 MainSt 255.255.255.0

access-list outside_inbound_nat0_acl remark Link to Main

access-list outside_inbound_nat0_acl permit ip host MainSt host Main

pager lines 24

logging on

logging trap alerts

logging device-id hostname

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.255.255.248

ip address inside 192.168.2.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-pool 192.168.1.240-192.168.1.250

pdm location MainSt 255.255.255.0 outside

pdm location Main 255.255.255.255 inside

pdm location 192.168.2.55 255.255.255.255 inside

pdm location MainSt 255.255.255.0 inside

pdm location MainSt 255.255.255.255 outside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list outside_inbound_nat0_acl outside

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 66.225.137.118 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http Main 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 66.11.11.11

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key aqz1zaq address 66.11.11.11 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.1.2 255.255.255.255 inside

telnet 192.168.1.88 255.255.255.255 inside

telnet 192.168.1.151 255.255.255.255 inside

telnet 192.168.2.55 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 10

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.1.2

vpdn group 1 client configuration wins 192.168.1.2

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username test password ********

vpdn enable outside

terminal width 80

Cryptochecksum:xxxx

: end

mostiguy · ‎01-22-2004

Active directory is very dependent on dns. WINS is important for populating the network neighborhood. For test purposes, you can use a statically coded LMHOSTS file on your remote client pc for testing:

\winnt\system32\drivers\etc

edits lmhosts.sam, read it, create a preload record for your domain controller:

domaincontrllername #PRE #DOM:ntdomainnamehere

that is the netbios domain name, so no .com on the end

save the file as lmhosts - with no file extension.

Reboot the pc and see if it can log on to the domain.

I would set up a dns zone for the remote subnet, and point those clients at the dns server at the main site. You will need to create static records for every host at the remote site. Using dhcp + dynamic dns is an infinitely preferrable solution.

gzullich · ‎01-22-2004

Thanks for the suggestions they worked the charm!Cheers, and thanks again!

G