PIX Firewall Browsing Issue

Recently we installed a pix 515 firewall with vpn connection. The segment of the network that the pix is on cannot browse through "my network places ". We can map and browse through explorer for files and folders, but cannot browse computers in the domain only on the one segment that has the pix installed.

Help?

 

Can you connect to a resource even if you can't browse it up via Network Stuff In My General Area (or whatever term your network uses for this)?

For instance, if Server_C is on a segment you can't 'see' and has a share called MyShare, will start~run~\\Server_C\MyShare open an explorer window to that share?

 

Can't offer any real solutions .. but did run across this at Cisco / Cisco experts ..
100 QUESTIONS AND ANSWERS ON SSL-VPN. It includes pix 515 firewall info.
PDF format
HTML view

 

This is advise rather than help - be very careful about mapping drives to servers over a VPN link. Windows utilises network traffic to maintain an active mapping and does things like look ahead when it thinks you may want to access files on a mapped share. If your VPN link is slow, mapped drives will add unnecessary WAN traffic. Also more obviously users will see significant performance degradation in applications like Windows Explorer (because when you open Explorer it will look look ahead at your mapped drives, so you wait while Explorer has a quick look at your slow mapped drives even if all you wanted to do was access a file on you C: drive).

Also don't forget that if you are connecting via ADSL at each end of the VPN, the connection speed will be at the speed of the slowest part of the asynchronous link - that's usually half a mega, no matter how fast your ADSL is for download. So VPN is usually a very slow link. You need to think carefully about what services you run over it. Relying on users being able to browse the remote network as your main remote access option is not a good policy. Rather use few well defined services.

 

Pix

Thank you for the info. Reggie. We are not even using the VPN yet, but, I will keep those things in mind. This browsing issue is inside on our network. For some reason I cant see other computers in my network places. It is causing issues in program like veritas. I cant see the other servers that I wish to back up and things like that.

 

Yes I can connect to resource.

 

I never use the Network Places thing. Too many machines on the network and it just isn't workable. That has left me a little hazy on the topic but I seem to remember that the feature depends on file & printer sharing which means a group of ports need to be open.

Check the status of
UDP 137, UDP 138, UDP 445, and TCP 139, and TCP 445.

If any of those are blocked, open them. That may well fix you right up. If not, I'll do some serious digging.

Meanwhile, from a cmd prompt try Net View and see if all the machines on whatever domain you specify are listed.

 

Using network places to browse isnt really the issue. It is that some programs like veritas cannont connect to and back up other servers because the browse feature is not working.

When I try net view I the following error:

System erro 6118 has occurred.

The list of servers for this workgroup is not currently available.

 

UDP 137, UDP 138, UDP 445, and TCP 139, and TCP 445.

All of these ports are open!! This is a tough one!

 

Ah so. The 6118 error with Net View helps nail down the cause.

Do any of your PCs have browser service running? At least one of them needs to and maybe two just to have a backup. I don't suggest having it running on all of them though.

If you have a workgroup, it will need to have the exact same name as the domain you want to look at.

You may need to open all ports, TCP & UDP, from 135 to 139.

 

I have a master browser server and 2 backups. The problem is the pc's cant see them properly I think.

 

How about these?

 

These ports are open on the firewall. I only have a domain. There is no workgroup.

 

All computers can browse fine, except the ones that are behind this firewall. The master browser which is also on this segment can browse just fine. We turned off ARP proxy on the firewall. I dont know what else to do.

 

I've come back to this after a few days absent and I'm confused. How is the segment with the firewall, connected to the rest of the network? There seem to be three options:

1. The firewall segment is connected to the rest of the network directly. The firewall just happens to be on this segment, but traffic doesn't pass through it to get to the rest of the network. This seems the least likely option or you would not be messing around with port settings on the firewall
2. The firewall segment is connected to the rest of the network via the firewall. The firewall is directly connected to the rest of the network and the segment. This appears to be the network configuration that Newt is assuming I think and would make sense if you are securing an accounts department network or an area used by another company.
3. The internet or other WAN is between the firewall segment and the rest of the network. If this is the case it may be a WAN related problem.

Could you confirm which configuration you are using (or indeed if none of these apply). If option 3, can you tell us the type of WAN connection.

Another thing I'd look at is your DNS set up. The computers on the Firewall segment: which DNS server do they use? In one posting you indicate that there might be a server on the Firewall segment. If so how is DNS set up on that server (is it root, part of the main DNS tree, or not a DNS server)?