What do I need to do to get the Cisco VPN Client 3.x to show computers in the remote network neighborhood?
I'm testing it on a Win 98 PC, but need it to work on Win 95, NT, 2000, and XP.
For starters make sure "File and Print Sharing" and "Client for MS Networks" is tunred on. hmmmm......seems like thats my answer for everything...go figure
File and Printer Sharing is turned on. Client for MS Networks is installed as well, but I still cannot browse the Network Neighborhood. On the PIX, I have:
access-list 101 permit ip 126.96.36.199 255.255.0.0 10.0.252.0 255.255.255.0
Do I also need to permit some UDP ports?
I was, but now I'm getting "no domain controller was available".
Below is my PIX config:
nj-pix1a(config)# wr t
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 private security10
enable password 8TtHic.igNQfxtlP encrypted
passwd 8A8GWRAN7wD/EokS encrypted
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20-21
access-list 101 permit ip 188.8.131.52 255.255.0.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 184.108.40.206 255.255.0.0 220.127.116.11 255.255.255.0
access-list 101 permit ip 18.104.22.168 255.255.0.0 10.0.254.0 255.255.255.0
access-list 101 permit ip 22.214.171.124 255.255.0.0 10.0.253.0 255.255.255.0
access-list 201 permit ip 126.96.36.199 255.255.0.0 192.168.2.0 255.255.255.0
access-list 301 permit ip 188.8.131.52 255.255.0.0 184.108.40.206 255.255.255.0
pager lines 24
logging buffered emergencies
logging trap emergencies
logging history emergencies
logging host inside 220.127.116.11
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 10baset
interface ethernet3 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu private 1500
ip address outside 18.104.22.168 255.255.255.0
ip address inside 22.214.171.124 255.255.255.0
ip address dmz 126.96.36.199 255.255.255.0
ip address private 188.8.131.52 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptppool 10.0.253.1-10.0.253.254
ip local pool ipsecpool 10.0.254.1-10.0.254.254
failover timeout 0:00:00
failover poll 15
failover ip address outside 184.108.40.206
failover ip address inside 220.127.116.11
failover ip address dmz 18.104.22.168
failover ip address private 22.214.171.124
failover link private
pdm history enable
arp timeout 14400
global (outside) 1 126.96.36.199 netmask 255.255.255.0
global (dmz) 1 188.8.131.52 netmask 255.255.255.255
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 184.108.40.206 255.255.255.0 0 0
static (dmz,outside) 220.127.116.11 18.104.22.168 netmask 255.255.255.255 0 0
static (inside,outside) 22.214.171.124 126.96.36.199 netmask 255.255.255.255 0 0
static (inside,outside) 188.8.131.52 184.108.40.206 netmask 255.255.255.255 0 0
static (inside,outside) 220.127.116.11 18.104.22.168 netmask 255.255.255.255 0 0
static (inside,outside) 22.214.171.124 126.96.36.199 netmask 255.255.255.255 0 0
static (inside,outside) 188.8.131.52 184.108.40.206 netmask 255.255.255.255 0 0
static (inside,dmz) 220.127.116.11 18.104.22.168 netmask 255.255.255.0 0 0
static (inside,outside) 22.214.171.124 126.96.36.199 netmask 255.255.255.255 0 0
static (inside,outside) 188.8.131.52 184.108.40.206 netmask 255.255.255.255 0 0
static (inside,outside) 220.127.116.11 18.104.22.168 netmask 255.255.255.255 0 0
static (inside,outside) 22.214.171.124 126.96.36.199 netmask 255.255.255.255 0 0
static (inside,outside) 188.8.131.52 184.108.40.206 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 220.127.116.11 eq www any
conduit permit tcp host 18.104.22.168 eq smtp any
conduit permit tcp host 22.214.171.124 eq 135 any
conduit permit tcp host 126.96.36.199 eq 1225 any
conduit permit tcp host 188.8.131.52 eq 1226 any
conduit permit tcp host 184.108.40.206 eq www any
conduit permit udp host 220.127.116.11 eq isakmp any eq isakmp
conduit permit tcp host 18.104.22.168 eq 256 any eq 500
conduit permit esp host 22.214.171.124 any
conduit permit ah host 126.96.36.199 any
conduit permit udp host 188.8.131.52 any
conduit permit tcp host 184.108.40.206 eq 3398 any
conduit permit tcp host 220.127.116.11 range ftp-data ftp any
conduit permit ip host 18.104.22.168 any
conduit permit ip host 22.214.171.124 any
conduit permit tcp host 126.96.36.199 eq 256 any
conduit permit udp host 188.8.131.52 eq isakmp any
conduit permit esp host 184.108.40.206 any
conduit permit ah host 220.127.116.11 any
conduit permit tcp host 18.104.22.168 eq smtp any
conduit permit tcp host 22.214.171.124 eq 1723 any
conduit permit tcp host 126.96.36.199 eq 1723 any
conduit permit gre host 188.8.131.52 any
conduit permit tcp host 184.108.40.206 eq 1723 any
conduit permit gre host 220.127.116.11 any
conduit permit tcp host 18.104.22.168 eq 1723 any
conduit permit gre host 22.214.171.124 any
conduit permit tcp host 126.96.36.199 eq 1723 any
conduit permit gre host 188.8.131.52 any
conduit permit tcp host 184.108.40.206 eq 1723 any
conduit permit gre host 220.127.116.11 any
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
route outside 192.168.2.0 255.255.255.0 22.214.171.124 1
route inside 126.96.36.199 255.255.0.0 188.8.131.52 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 184.108.40.206
snmp-server location DUR-NJ-US
snmp-server contact Mario Benitez
snmp-server community TUMI-US
snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 10 ipsec-isakmp
crypto map dyn-map 10 match address 201
crypto map dyn-map 10 set peer 220.127.116.11
crypto map dyn-map 10 set transform-set myset
crypto map dyn-map 11 ipsec-isakmp
crypto map dyn-map 11 match address 301
crypto map dyn-map 11 set peer 18.104.22.168
crypto map dyn-map 11 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client configuration address initiate
crypto map dyn-map client configuration address respond
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 22.214.171.124 netmask 255.255.255.255
isakmp key ******** address 126.96.36.199 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local ipsecpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup test address-pool ipsecpool
vpngroup test dns-server 188.8.131.52
vpngroup test wins-server 184.108.40.206
vpngroup test default-domain tumi.com
vpngroup test idle-time 1800
vpngroup test password ********
telnet 220.127.116.11 255.255.255.255 inside
telnet 18.104.22.168 255.255.255.255 inside
telnet 22.214.171.124 255.255.255.255 inside
telnet 126.96.36.199 255.255.255.255 inside
telnet 188.8.131.52 255.255.255.255 dmz
telnet 184.108.40.206 255.255.255.255 dmz
telnet 220.127.116.11 255.255.255.255 dmz
telnet 18.104.22.168 255.255.255.255 dmz
telnet 22.214.171.124 255.255.255.255 private
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptppool
vpdn group 1 client configuration wins 126.96.36.199 188.8.131.52
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username MARK password MARK
vpdn username TUMI\PPTPTest password PPTP
vpdn username TUMI_GERMANY\PPTPTest password PPTP
vpdn username GCS-NASHUA password condor
vpdn username TUMI\MARK password MARK
vpdn username SLW\SLW-VPN-PPTP password SLW-VPN-PPTP
vpdn username TUMI-VPN password charliec
vpdn username TUMI\TUMI-VPN password charliec
vpdn enable outside
terminal width 150
Note: I am also trying to support Cisco Secure VPN client 1.1 until we get the new VPN client working.
I have the VPN client working (at least on Win98) and browsing the Network Neighborhood. I think the key to browsing the Network Neighborhood is to release the IP address bound to network adapters in the remote PC. In Win 98, there is a registry hack that does this; not sure on Win95, Win2k, or XP. Since I'm not exactly sure what statements are needed in the PIX config, I'm not posting it now. As soon as I figure out which ones are not needed, I'll post a copy of my config.
Your PIX is configured for PPTP. You have listed your outside and inside IPs. Your network topology would not be hard to figure out. You have also listed your PPTP usernames and passwords.
When posting to the Internet, always mask your real IPs and all passwords.
I would consider these passwords comprimied, and change them immediately.
hmm... if i recall correctly, i had to allow udp ports 137, 138 and 139 on my pix some time ago...to make this work...
Not too sure now, since its been some time since i've worked on this part.
Since Network neighbourhood uses, netbios broadcast for name resolution and locating the computers within its reach, you may need to allow this protocol. Remember the master browser stuff and all that.
Try allowing netbios protocols by allowing protocols 137, 138 and 139 as the last post said.
I have succeeded in getting the VPN client to work on Win95, Win98, and XP; haven't tried on Win2k yet, don't expect any problems.
To browse the network, the VPN client must be able to route to the PDC (domain master browser); I had a routing issue preventing that at first; once I fixed that, browsing was not a problem.
I did not set up any new conduits for UDP ports (see my previously posted config) so I don't think they are necessary. Perhaps this is because I have a WINS server on the segment that the VPN client connects to. My PDC is also a WINS server.
There are a few kinks to getting the VPN client to work that Cisco doesn't mention in their documentation. I already mentioned the Win 95/98 registry hack to release DHCP leases at shutdown. On XP, you must set the DUN entry for use by anyone or you can't select it in the VPN client. To browse the network, you must manually enable Client for MS Networks. You also have to go into the Internet Protocol (TCP/IP) advanced properties and enable NetBios over TCP. The default settings on these two are off. It would be nice if Cisco would include this info in their documentation (hint, hint).
Quick question. By enabling these ports would that make you more susceptible to DOS attacks?
We run a pure TCP/IP network, do not have any MS BIOS protocal running, do not have any of the ports open that have been posted in this mail list (I would not open them for security reason).
We use a CISCO VPN 3005 w/triple-des. If you contact me directly I would be more than happy to share some of our setup.
It seems to be working now. Like you, we have not opened any ports (not specifically for this anyway), we only run NetBios over TCP/IP, not as a separate protocol. So far I have tested on Win9x, Win2k, and XP Pro. All seem to work fine. I have some questions about Win XP Home - whether it will be able to log onto our NT domain or not.
The big thing was figuring out the settings that Cisco doesn't include in their documentation relating to DUN entries, etc.
Thanks for your interest.
We are using a pair of PIX 515s in a failover configuration. VPN clients use either the VPN Client 3.x or IOS routers. I may use the VPN hardware client at some locations.
There is no need to make any allowances for the netbios ports 137-139 as suggested in the thread. This would be required if going through the pix not through the vpn.
Ensure the client is able to ping the WINS server.
Ensure the client is not trying to route through a previous ip address: http://cisco.com/warp/public/471/ms_route.html
for more info.
I'm currently experiencing difficulties in enabling VPN client 3.x to show computer in the remote network neighborhood. I've tried all the suggestion within this conversation with no success.
I am able to access our network via vpn and ping our PDC and WINS server. Client for MS network and file/print sharing are installed.
What have I missed out???
Thanks in advance.
What OS are you running on the VPN client? What version of the VPN client are you using? If you have "vpngroup" statements in your PIX config, are you sending the WINS and DNS server addresses in the PIX config? Can you ping the PDC and/or WINS servers by name?
Thanks for your effort. I can now access the different resources on our network.
The OS is Win98 and vpn client 3.51, all I did was - within window 98 config it to logon me onto the domain and gave it our domain name. Once I'm on the domain I can then map to the different servers.
I'm having the same problem. I am able to ping a device on the network by name and by ip address but I am not able to browse the Network Neighborhood. However, If I connect by VPN using a PC with previously mapped drives, I am able to access those drives.
I have tried opening up the NetBios ports but that didn't do it. I am able to access everything else on the network.
For those who got it working, did you make any other changes to the client or Firewall? Any other ideas or suggestions?
What OS are you running (Win9x, WinNT/2k/XP)?
Do you have a domain controller or WINS server on the subnet you are connecting to?
When you connect, do you get a Windows network logon screen (Username, password, domain)?
After you connect, check your IP config (Windows 9x > Start|Run|"winipcfg", Windows NT/2K/XP > Command prompt|"ipconfig /all"). Look to see if you are picking up the WINS server address(es). Also, make sure you have the Client for Microsoft Networks in your network settings.
I have some clients on Win2k and some on WinXP. There's a domain controller and WINS server on the network I'm connecting to.
I'm using NT domain authentication on the VPN concentrator. When I log in through VPN, I am prompted for a username/password/domain. I am able to successfully login to the network using NT authentication.
I have also enabled NetBIOS over TCP/IP and have Client for Microsoft Networks in the network settings. It doesn't seem like I'm picking up the WINS server addresses even though they are configured on the Concentrator. However, I have manually put the WINS ip addresses into my network settings.
Hope this clarifies my issue. Any other suggestions?
Just need clarification - are you having problem accessing your network resources i.e via mapped drive or are you have problem browsing the other workstation on you network??
On our setup we can map to network resources but can't browse the other workstations on our network via network neighborhood.
I am able to map drives on the network and get to them fine. However, I cannot browse other workstations on the network using network neighborhood.
Seems like you have the same problem I do.
I used a win98 with vpn client 3.5.1, a vpn3005 as concentrator and a win 2k as domain controler and wins server.
It was impossible to browse the net, only could map drivers.
Has anyone an idea about why?
Did you make sure to release any DHCP IP addresses before starting the VPN client? On Win 9x you must do this in order to browse the network neighborhood. There is a registry hack on Microsoft's KB that does this for you.