Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't access windows shares (ex: \\IP@) through site-to-site VPN tunnels

Hi,

On a 3 sites WAN, we have substituted ISDN connections by site-to-site VPNs over an ADSL Internet connection (using CISCO 827 Routers).

Although the VPN tunnels establish successfully and work fine for ping (~120ms), ftp, tftp, ... We have issues when trying to access remote machine's shared folders by \\192.168.102.250 or by "net view \\192.168.102.250", while this worked fine when using ISDN.

The error we get is mostly "Network path not found". Mostly because sometimes, we have a response after 10~15 minutes and the shared ressources window finally popups.

We've unccessfully tried with no access-list/firewall rules or with client's mtu set to 1400. We've registered the @IP/Name in LMHOSTS/HOSTS files (and we can ping the 192.168.102.250 host by its netbios name).

From site 2 to site 1, the equivalent request (\\192.168.101.250) works! (This is the only one).

We are pretty sure that it is not a system related (WINS, NT,..) issue since it works perfectly with the ISDN connections without changing anything else than the routers.

We desperatly need to have windows shares working!

Thanks in advance for your precious help,

PS: below, running config for site1 (2 and 3 are bearly the same)

----------

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router827_site1

!

enable password ****

!

username **** password ****

ip subnet-zero

no ip domain-lookup

ip domain-name ****.fr

ip name-server 193.252.x.y

ip name-server 193.252.x.y

!

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 900

ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key **** address 80.14.x.y

crypto isakmp key **** address 80.11.x.y

!

!

crypto ipsec transform-set dsltest esp-3des esp-md5-hmac

!

crypto map test 10 ipsec-isakmp

set peer 80.11.x.y

set transform-set dsltest

match address 101

crypto map test 20 ipsec-isakmp

set peer 80.14.x.y

set transform-set dsltest

match address 102

!

!

!

interface Ethernet0

description Reseau local

ip address 192.168.101.1 255.255.255.0

ip access-group LAN_in in

ip nat inside

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface Dialer1

ip address negotiated

ip access-group Dialer1_in in

ip mtu 1492

ip nat outside

ip inspect myfw out

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

ppp authentication pap chap callin

ppp chap hostname ****

ppp chap password ****

ppp pap sent-username **** password ****

crypto map test

!

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.2.0 255.255.255.0 192.168.101.2

ip route 192.168.104.0 255.255.255.0 192.168.101.2

no ip http server

ip pim bidir-enable

!

!

ip access-list extended Dialer1_in

deny ip 192.168.101.0 0.0.0.255 any

permit esp any any

permit udp any any eq isakmp

permit icmp any any echo-reply

permit icmp any any echo

permit tcp any any eq 22

deny ip any any log

ip access-list extended LAN_in

permit ip 192.168.101.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

deny ip any any log

!

access-list 1 permit 192.168.101.0 0.0.0.255

access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.103.0 0.0.0.255

access-list 102 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255

access-list 105 deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255

access-list 105 deny ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255

access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.103.0 0.0.0.255

access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255

access-list 105 permit ip 192.168.101.0 0.0.0.255 any

access-list 122 permit tcp any any eq 22

route-map nonat permit 10

match ip address 105

!

!

line con 0

exec-timeout 15 0

password ****

login

stopbits 1

line vty 0 4

access-class 122 in

exec-timeout 15 0

login local

length 0

!

scheduler max-task-time 5000

end

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Can't access windows shares (ex: \\IP@) through site-to-site

Hi,

Try using ip tcp adjust-mss 1200 on the E0 interface on both (site1 and site2) routers.

u can also try :

crypto ipsec clear df-bit

Thx

Afaq

2 REPLIES
Bronze

Re: Can't access windows shares (ex: \\IP@) through site-to-site

Hi,

Try using ip tcp adjust-mss 1200 on the E0 interface on both (site1 and site2) routers.

u can also try :

crypto ipsec clear df-bit

Thx

Afaq

New Member

Re: Can't access windows shares (ex: \\IP@) through site-to-site

Thank you Afaq.

Your ideas solved a part of the problem. We also had to create a proper WINS architecture because we had name resolution issues (even when using \\IP@, the netbios name must be known to acces the shared ressources) and the broadcast resolution method won't work over VPN.

Thank you again,

Sven

391
Views
0
Helpful
2
Replies
CreatePlease login to create content