|
[Config] ASA 5510 Firewall vpn not mapping drivesI have a Cisco 5510 vpn firewall. Users who vpn into the network from home do not get their drive mappings when they log into the domain with their XP Professional laptops, however they are able to log into the network and get drive mappings when they bring their laptops into home office and log into network. The servers are Windows 2003 and their are two Windows dns server.
I took the advice of Cisco support and applied what I thought was the right way to load the dns onto the firewall, which is the ip addresses of the two windows dns servers and nothing is working. How can my vpn users get drive mappings from home ???? Thanks |
|
elnino join:2006-08-27 Akron, OH |
elnino
Member
2010-Jun-13 10:14 am
The problem is, drives are generally mapped in the logon script which runs when you're in the office because you're actually logging into the domain. When at home, you're logging into your workstation with cached domain credentials. Since you're not actually logging into the domain at bootup, the logon script doesn't run. The best thing is to create a VB script or something that maps drives and have the user run that after logging in to VPN |
|
jester121 Premium Member join:2003-08-09 Lake Zurich, IL |
to JDmailNY
Or, I think you can run the Easy VPN pre-login option, so it connects the VPN before logging into windows. Haven't done this personally but I've seen it referenced in the docs. |
|
elnino join:2006-08-27 Akron, OH |
elnino
Member
2010-Jun-15 8:56 am
said by jester121:Or, I think you can run the Easy VPN pre-login option, so it connects the VPN before logging into windows. Haven't done this personally but I've seen it referenced in the docs. I think I remember hearing that the pre-login feature was disabled in newer versions of the VPN client. Not quite sure though |
|
1 edit |
to JDmailNY
Assuming these machines ARE a member of the Active-Directory domain (and not simply stand-alone) then...
Ensure that you are specifying your Active-Directory integrated DNS servers in the IP lease to VPN clients. I suspect your clients aren't finding the server(s) because their DNS is wrong and can't find them. Simply specifying these DNS servers on the firewall/DHCP lease is not enough, there is a place to specify this for VPN clients.
In some cases the VPN proves too slow for this and the DNS queries time out, thus you may need to add the server names and FQDN names to the local HOSTS file as such... computer-name 192.168.5.5 computer-name.netbios-domain-name.domain.tld 192.168.5.5 |
|
|
Ya, know I never thought about it in terms of setting a host file, which sound like a good idea. I also just got off the phone with Cisco, and they mentioned this could be a Microsoft issue with active directory, because users are actually attempting to push a login script accross the vpn to their worstation after they have vpned in.- I going to post something with MS. God Bless and thanks for everyone pointing me in the right direction. |
|
|
You never say whether the issue is login script related or dns related (or both). How are IP addresses handed out to VPN clients? Via a DHCP server or through an IP Pool? If through a DHCP server, define your dns servers in the scope. If through a local IP pool, you'll need to define your DNS servers under the group policy in the ASA. Once you have connected, can you manually map the drives, or manually run the login script (assuming the drive mappings are done via login script)? Can you do something like this: \\domain.controller\netlogon\login.script? If you can, and the drives are there, then your issue is with the login script not running. If not, the issue is likely name resolution (see previous entries for dns/host file settings). If the issue is that the login script doesnt run, you have some choices: 1). configure the VPN client to run before login, and log into the VPN prior to logging into windows 2). create a shortcut pointing to the path of the login script and have the users run the shortcut after the connect to the VPN 3). create a custom script that will run after the VPN client connects.
BTW, you dont have to point at a specific domain controller, assuming name resolution works, you can do something like this: \\dns.name.of.domain\netlogon\logon.script
That will allow the client to use the closest domain controller, which can be controlled with the Active Directory Sites and Services MMC plugin. |
|
|
said by ua_hockey:You never say whether the issue is login script related or dns related (or both). How are IP addresses handed out to VPN clients? Via a DHCP server or through an IP Pool? If through a DHCP server, define your dns servers in the scope. If through a local IP pool, you'll need to define your DNS servers under the group policy in the ASA. Once you have connected, can you manually map the drives, or manually run the login script (assuming the drive mappings are done via login script)? Can you do something like this: \\domain.controller\netlogon\login.script? If you can, and the drives are there, then your issue is with the login script not running. If not, the issue is likely name resolution (see previous entries for dns/host file settings). If the issue is that the login script doesnt run, you have some choices: 1). configure the VPN client to run before login, and log into the VPN prior to logging into windows 2). create a shortcut pointing to the path of the login script and have the users run the shortcut after the connect to the VPN 3). create a custom script that will run after the VPN client connects. BTW, you dont have to point at a specific domain controller, assuming name resolution works, you can do something like this: \\dns.name.of.domain\netlogon\logon.script That will allow the client to use the closest domain controller, which can be controlled with the Active Directory Sites and Services MMC plugin. I took the advice of what everyone said and you guys are great. I added our servers dns numbers to the vpn firewall, then I configured the Cisco vpn client to connect to our network before a user would log into their home workstation. When they logged in they go their network drives. Thanks to you guys. God Bless and Have A Great day |
|