|
Home > Archive > CCNP > July 2001 > logging into NT over Cisco VPN
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
logging into NT over Cisco VPN
|
|
|
| I have set up a Cisco site-to-site VPN and I can ping both sides just fine. I have a windows client on the remote side that can ping the windows server my ip address and by name but it cannot login. It comes back and says no domain server can be found. What am I missing here? I now I have read something about this before but I am drawing a blank. | |
| depamo 2001-07-27, 7:49 am |
| Did you have your NT Network working before the VPN? Have there been any changes to the network since you started the VPN and are you using NAT or PAT where the VPN would have to cross these types of translation boundaries prior to being de-crypted?? | |
| Retired-Mod 2001-07-27, 5:55 pm |
| Hard to believe that techs can make a post without producing enough info for a proper answer to be provided. This is not a slam against this post alone, because it is an all to frequent occurrence everywhere and I can only conclude (what I already know) there are too many people doing stuff that they have know clue about, but they still wanna be paid top dollar...go figger
Reired | |
|
| hmmmmmmmm.....OK, if that is how you feel you are intitled to say what you want. I dont agree with what you said but its your right to post your thoughts.
Retired-Mod you said-
I can only conclude (what I already know)
there are too many people doing stuff that they have know clue about, but they still wanna be paid top dollar...go figger
Why would you even associate this comment with my post?
And yes the NT network is fine on the local lan. My question relates to the Cisco VPN. | |
| strikeattack 2001-07-28, 8:20 am |
| Okay, I will try and tackle this one...
1. The first thing you want to make sure of is that your NT server is validating logins without using VPN. VPN adds a whole new set of variables that you only want to take on once you know that what you have is working.
2. The second thing is make sure that you grant your users DIAL-IN access on the PDC. This is not done by default, and users must have dial-in access under User Manager for Domains in order to come in via VPN. This is because that VPN is more of an extension to RAS then an entirely new service. And, of course, RAS requires dial-in access.
3. If I had to take a guess as to what your problem is, you may want to try this. Windows 95/98 can log either into the domain, or the server. This is the option that asks you if the name you typed in is a NETBIOS name or a DOMAIN name. Try setting this to the server instead. This setting is under CONTROL PANEL> NETWORKING, and it is the third tab (Can't remember the name, doing this from memory).
If it is a WinNT machine, you are a member of the domain, right?
If it is a W98/98 machine, you do have the domain selected under Client for Microsoft Networks properties, right? Thought so. Just checking.
4. If that does not work, try implementing a WINS server or writing a quick LMHOSTS file. I know you said name resolution is working find, but you may want to try this anyway.
5. Make sure your firewall is not filtering packets. I would open it all up to begin with, get it working, and then lock all ports down and only open up the ones you need.
Hope this helps. I am going off of very limited information. If you want us to help you further, please provide lots of technical information. Let us know if this helped at all. | |
| strikeattack 2001-07-28, 8:22 am |
| Ugh... you posted your last post just as I submitted mine. If it is Cisco VPN, what VPN equipment are you using? | |
|
| OK this is what I set up.
On the host side there is a T1 a Cisco 1600 router that is the gateway router. This router does not have any NAT or firewalling on it, its just the connection to the internet. Next I have a Cisco PIX 515 that is serving as a firewall and a VPN device. I have the cisco VPN client that sits on remote laptops that works fine. The user will connect to there local ISP via dialup and then use the Cisco VPN to connect to my PIX after that is done they log into NT. Now I have a remote site that has about 8 people that need to connect to NT server. The only means of internet they have is ADSL which is networked and gets a dynamic IP address from the ISP. As everyone knows each user will not be able to have the client on there workstation and connect back to the Main network via VPN because of the problems with PAT translation. So this is what I did I installed a Cisco 827 router to connect them to the internet VIA ADSL (which works great by the way after you get ther right PVC numbers for ADSL. Now here came the hard part making the Cisco 827 ADSl router that gets a DHCP address establish a VPN tunnel back to the PIX but never the less I was able to make it work with some help. This was not documented that well. Now I can have many uses that are on a 10.10.10.0/24 network ping a 10.10.11.0/24 network all day long routeing fake IP addreses over the internet via VPN.... Its real cool if you think about it also th e savings the customer will get withe ADSL in place of frame relay. I can use the WINS of the main NT server and resolve names and LMHOSTS files but it still wont log me on. So the network is thers and working but just this on little problem. I might just reboot the server this weekend. So to recap there is no client softwarefor VPN on a site-to-site VPN just on client to site VPN. I hope this enough info. | |
| depamo 2001-07-28, 6:36 pm |
| First, that is some pretty cool thinking on the DSL, hope you can get this working so I can add it to my tricks bag, never tried that before.
But back to troubleshooting, since the Ping made it through, the route is working enough to get packets from here to there and back again through the VPN. I would see what a trace route would show to identify which known hops are occuring, this should limit the scope of the problem. Since it is a VPN, you should only see the entry point, exit point and whatever is between your NT Server and the PIX. If this is doing what is expected also, it can only be one of two issues. The computer cannot make a TCP connection on the respective port with the NT Server or the packets are being altered enough to keep the NT Server from returning the authentication.
First check on the ports,
Here is the Microsoft Identified Ports used during this exchange:
quote:
Logon Sequence UDP:137,138 TCP:139
NetLogon UDP:138
Pass Through Validation UDP:137,138 TCP:139
These ports are also used for much of the information sharing between the NT Server and Clients. You can get a free port scanner from Solar Winds and from the client side, check and see if you can see if the NT Server is listening on these ports. If you cannot get a response (UDP, TCP port probe) then one of the devices between your NT Server and the client is blocking that traffic (would suspect the PIX). If they do get through and you get a listening response, then this turns into an application issue with your method of translation across the VPN with regard to altering the packet. Options to fix this would be to alter your encryption methods. These would include ESP in Tunnel or Transport mode to protect as much of the packet as possible from alterations during translations.
Some other things to check would be to see if the computer is registering with the WINS server as a quick look to see if anything is getting through. Windows systems should attempt to register with the WINS prior to logon.
Hope that some of this helps and good luck with your system. If you find the answer, post it so I can see what you checked. | |
|
| I will look at the port numbers you gave me on Monday thanks for all of the trouble shooting tips you gave me. I will work on this and give you an update. |
|
|
|
|