Screen OS

Hi,

I setup xauth in the NS5GT appliance and on the client. I am ablt to connect with the client with success but unable to ping any devices on the LAN via IP or by name - however would like to.

 

I have both NAT-T and UDP checksum enabled in the VPNs > AutoKey Advanced > Gateway > Edit section

I also tried unchecking them as well.

 

Firmware version is 5.3.0r4.0 (incase any one needs to know) not certain if that is important.

 

the internal LAN ip scheme is 192.168.2.0. I used a authIP pool of 192.168.200.X

As mentioend I can authenticate with no issues and I can also see where I attempt to ping the device that it displays in the log:

 

2009-02-21 16:36:09 192.168.2.200:137 192.168.2.115:137 192.168.2.200:137 192.168.2.115:137 NETBIOS (NS) 204 sec. 3444

 

As you can see I am trying to ping 192.168.2.115

I feel like I am close. Any suggestions, hints or tips. I would really like to ping the devices by name resolution.

 

 

Below is the log of my connection: (not sure how legible it will be since this forum will stripp off the html)

 

2009-02-21 16:40:52 info IKE<myipscrubbed> Phase 2 msg ID <c5fda546>: Completed negotiations with SPI <b5215a19>, tunnel ID <14>, and lifetime <3600> seconds/<0> KB. 2009-02-21 16:40:52 info IKE<myipscrubbed> Phase 2 msg ID <c5fda546>: Responded to the peer's first message. 2009-02-21 16:40:52 info IKE<myipscrubbed>: XAuth login was passed for gateway <xauthusergate>, username <xauthnamescrubbed>, retry: 0, Client IP Addr<192.168.2.200>, IPPool name:<XAuthIPPOOL>, Session-Timeout:<0s>, Idle-Timeout:<0s>. 2009-02-21 16:40:51 info IKE<myipscrubbed>: XAuth login was refreshed for username <xauthnamescrubbed> at <192.168.2.200/255.255.255.255>. 2009-02-21 16:40:44 info IKE<myipscrubbed>: Received initial contact notification and removed Phase 1 SAs. 2009-02-21 16:40:44 info IKE<myipscrubbed> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime. 2009-02-21 16:40:44 info IKE<myipscrubbed> Phase 1: Completed for user <xauthnamescrubbed>. 2009-02-21 16:40:44 info IKE<myipscrubbed>: Received initial contact notification and removed Phase 2 SAs. 2009-02-21 16:40:44 info IKE<myipscrubbed>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>. 2009-02-21 16:40:44 info IKE<myipscrubbed>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>. 2009-02-21 16:40:44 info IKE<myipscrubbed> Phase 1: IKE responder has detected NAT in front of the remote device. 2009-02-21 16:40:44 info IKE<myipscrubbed> Phase 1: Responder starts AGGRESSIVE mode negotiations.

I think I have resolved this.

I just went into the policy then into the advance setting and set the NAT source translation to use egress interface IP.

Just one check box and bam works! - I can now ping devices on the lan by name.

 

Unless I here something else from the folks that have a few more credit hours then me at this have a better suggestion ..

I will kudo my self 🙂

 

Bahh! - I spoke a little soon, only thing I can ping by name is the domain controller no other server..

sigh..

 

Check your dns settings on the client with ipconfig /all

use from cmd line nslookup e.g.:
nslookup servername.domainname.local

 

Is the nameserver popping up the domain controller ip address? If so, is the address resolving?

If the adress is resolving, but you can't ping->check Netscreen VPN policy settings

If the adress is not resolving check dns server settings.

 

 

Yes the name server is correct when I type nslookup

it points to the dns server of the LAN. So yes it is resolving.

 

As mentioned the server DOES resolve by name when I ping it. But that is the only server that resolves by name that server happens to be the domain controller which is also the DNS and DHCP server.

 

 

Exactly what dns server settings am I suppose to check?