Communicate between subnets

Hello,

We have a pix 515 firewall setup with an inside, outside, and DMZ. Our
win2k3 webserver is on the dmz on one subnet, and the clients and the win2k3
ad domain controller along with the clients are on the inside. Machines on
the inside can connect to the dmz via unc path, but you can not browse to
them. Mac clients can not connect to them at all.

I have spent countless hours troubleshooting this issue with cisco, and I'm
starting to think it is something with out windows configuration, possibly
hostfiles. Any insight would be appreciated.

-Matt

Well, we migrated to AD in January and are trying to do away with WINS. All
of our servers are either 2k or 2k3, all clients are xp or 2k. If there is a
way to address this with out WINS that would be preferred. I should also
mention this started happening while WINS was still running (but after we
had migrated to AD). Any other thoughts?

-Matt


On 4/29/05 10:51 AM, in article (E-Mail Removed),
"Robert L [MS-MVP]" <(E-Mail Removed)> wrote:

> sounds like computer browser issue. you may try to use WINS server.
> For more and other information, go to http://howtonetworking.com.
>
> Don't send e-mail or reply to me except you need consulting services. Posting
> on MS newsgroup will benefit all readers and you may get more help.
>
> Bob Lin, MS-MVP, MCSE & CNE
> How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> This posting is provided "AS IS" with no warranties.
>
> I recommend Brinkster for web hosting!
> <http://www.brinkster.com/redirect.as...p;redirect=/ho
> sting/hosting.aspx>
>>
>> "Matt Laufer" <(E-Mail Removed)> wrote in message
>> news:BE97A1AA.9FCF%(E-Mail Removed)...
>> Hello,
>>
>> We have a pix 515 firewall setup with an inside, outside, and DMZ. Our
>> win2k3 webserver is on the dmz on one subnet, and the clients and the win2k3
>> ad domain controller along with the clients are on the inside. Machines on
>> the inside can connect to the dmz via unc path, but you can not browse to
>> them. Mac clients can not connect to them at all.
>>
>> I have spent countless hours troubleshooting this issue with cisco, and I'm
>> starting to think it is something with out windows configuration, possibly
>> hostfiles. Any insight would be appreciated.
>>
>> -Matt
>

sounds like computer browser issue. you may try to use WINS server.
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Matt Laufer" <(E-Mail Removed)> wrote in message news:BE97A1AA.9FCF%(E-Mail Removed)...
Hello,

We have a pix 515 firewall setup with an inside, outside, and DMZ. Our
win2k3 webserver is on the dmz on one subnet, and the clients and the win2k3
ad domain controller along with the clients are on the inside. Machines on
the inside can connect to the dmz via unc path, but you can not browse to
them. Mac clients can not connect to them at all.

I have spent countless hours troubleshooting this issue with cisco, and I'm
starting to think it is something with out windows configuration, possibly
hostfiles. Any insight would be appreciated.

-Matt

Re: Communicate between subnetsYou can't eliminate WINS regaurdless of AD.
Network Browsing is a Netbios technology.

Please post in "plain text" format when posting to newsgroups.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Matt Laufer" <(E-Mail Removed)> wrote in message
news:BE97B5EA.A729%(E-Mail Removed)...
Well, we migrated to AD in January and are trying to do away with WINS. All
of our servers are either 2k or 2k3, all clients are xp or 2k. If there is a
way to address this with out WINS that would be preferred. I should also
mention this started happening while WINS was still running (but after we
had migrated to AD). Any other thoughts?

-Matt


On 4/29/05 10:51 AM, in article (E-Mail Removed),
"Robert L [MS-MVP]" <(E-Mail Removed)> wrote:


sounds like computer browser issue. you may try to use WINS server.
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on
http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

I recommend Brinkster for web hosting!
<http://www.brinkster.com/redirect.as...amp;redirect=/
hosting/hosting.aspx>


"Matt Laufer" <(E-Mail Removed)> wrote in message
news:BE97A1AA.9FCF%(E-Mail Removed)...
Hello,

We have a pix 515 firewall setup with an inside, outside, and DMZ. Our
win2k3 webserver is on the dmz on one subnet, and the clients and the
win2k3
ad domain controller along with the clients are on the inside. Machines on
the inside can connect to the dmz via unc path, but you can not browse to
them. Mac clients can not connect to them at all.

I have spent countless hours troubleshooting this issue with cisco, and I'm
starting to think it is something with out windows configuration, possibly
hostfiles. Any insight would be appreciated.

-Matt

As Phillip said, browsing is a Netbios based process, so whether AD is
there or no has no effect. Computer browsing still works as it did with NT,
using the Netbios names. Your first/only DC will still be the Domain Master
Browser (like the NT PDC) and you still need WINS to enable browsing across
routers. Only WINS allows the DMB to find the segment browsers and build the
network-wide browse list.

I am not sure why you want the machines in the DMZ to be able to browse.
I would expect Netbios to be restricted to the private LAN.

Phillip Windell wrote:
> Re: Communicate between subnetsYou can't eliminate WINS regaurdless
> of AD. Network Browsing is a Netbios technology.
>
> Please post in "plain text" format when posting to newsgroups.

"Matt Laufer" wrote:

> Hello,
>
> We have a pix 515 firewall setup with an inside, outside, and DMZ. Our
> win2k3 webserver is on the dmz on one subnet, and the clients and the win2k3
> ad domain controller along with the clients are on the inside. Machines on
> the inside can connect to the dmz via unc path, but you can not browse to
> them. Mac clients can not connect to them at all.
>
> I have spent countless hours troubleshooting this issue with cisco, and I'm
> starting to think it is something with out windows configuration, possibly
> hostfiles. Any insight would be appreciated.
>
> -Matt
>
>

Hi:

Did you install windows 2003 sp1? I have heard of a similar situation with a
pix firewall where a win2003 machine after having had sp1 installed looses
its default gateway on the interface connected to the pix firewall. It's
driving the IT staff wild. There may be a problem with sp1 for windows 2003
and multiple nics. See dell forum.

http://forums.us.dell.com/supportfor...essage.id=2322

Actually Wins was still running after we migrated to AD. We need to browse
to the webserver from the inside to access files that are worked on (i.e.
Extranet sites). It is a lot faster and easier than FTP which we are forced
to use now.


On 4/29/05 8:22 PM, in article #(E-Mail Removed), "Bill
Grant" <not.available@online> wrote:

> As Phillip said, browsing is a Netbios based process, so whether AD is
> there or no has no effect. Computer browsing still works as it did with NT,
> using the Netbios names. Your first/only DC will still be the Domain Master
> Browser (like the NT PDC) and you still need WINS to enable browsing across
> routers. Only WINS allows the DMB to find the segment browsers and build the
> network-wide browse list.
>
> I am not sure why you want the machines in the DMZ to be able to browse.
> I would expect Netbios to be restricted to the private LAN.
>
> Phillip Windell wrote:
>> Re: Communicate between subnetsYou can't eliminate WINS regaurdless
>> of AD. Network Browsing is a Netbios technology.
>>
>> Please post in "plain text" format when posting to newsgroups.
>
>

I would not use computer browsing for that. You really don't want the
Netbios ports open between the private LAN and the DMZ.


Matt Laufer wrote:
> Actually Wins was still running after we migrated to AD. We need to
> browse to the webserver from the inside to access files that are
> worked on (i.e. Extranet sites). It is a lot faster and easier than
> FTP which we are forced to use now.
>
>
> On 4/29/05 8:22 PM, in article #(E-Mail Removed),
> "Bill Grant" <not.available@online> wrote:
>
>> As Phillip said, browsing is a Netbios based process, so whether
>> AD is there or no has no effect. Computer browsing still works as it
>> did with NT, using the Netbios names. Your first/only DC will still
>> be the Domain Master Browser (like the NT PDC) and you still need
>> WINS to enable browsing across routers. Only WINS allows the DMB to
>> find the segment browsers and build the network-wide browse list.
>>
>> I am not sure why you want the machines in the DMZ to be able to
>> browse. I would expect Netbios to be restricted to the private LAN.
>>
>> Phillip Windell wrote:
>>> Re: Communicate between subnetsYou can't eliminate WINS regaurdless
>>> of AD. Network Browsing is a Netbios technology.
>>>
>>> Please post in "plain text" format when posting to newsgroups.