dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5292
JDmailNY
join:2007-12-02
Pearl River, NY

JDmailNY

Member

[Config] ASA 5510 Firewall vpn not mapping drives

I have a Cisco 5510 vpn firewall. Users who vpn into the network from home do not get their drive mappings when they log into the domain with their XP Professional laptops, however they are able to log into the network and get drive mappings when they bring their laptops into home office and log into network. The servers are Windows 2003 and their are two Windows dns server.

I took the advice of Cisco support and applied what I thought was the right way to load the dns onto the firewall, which is the ip addresses of the two windows dns servers and nothing is working. How can my vpn users get drive mappings from home ???? Thanks
elnino
join:2006-08-27
Akron, OH

elnino

Member

The problem is, drives are generally mapped in the logon script which runs when you're in the office because you're actually logging into the domain. When at home, you're logging into your workstation with cached domain credentials. Since you're not actually logging into the domain at bootup, the logon script doesn't run. The best thing is to create a VB script or something that maps drives and have the user run that after logging in to VPN

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121 to JDmailNY

Premium Member

to JDmailNY
Or, I think you can run the Easy VPN pre-login option, so it connects the VPN before logging into windows. Haven't done this personally but I've seen it referenced in the docs.
elnino
join:2006-08-27
Akron, OH

elnino

Member

said by jester121:

Or, I think you can run the Easy VPN pre-login option, so it connects the VPN before logging into windows. Haven't done this personally but I've seen it referenced in the docs.
I think I remember hearing that the pre-login feature was disabled in newer versions of the VPN client. Not quite sure though
supergeeky
join:2003-05-09
United State

1 edit

supergeeky to JDmailNY

Member

to JDmailNY
Assuming these machines ARE a member of the Active-Directory domain (and not simply stand-alone) then...

Ensure that you are specifying your Active-Directory integrated DNS servers in the IP lease to VPN clients. I suspect your clients aren't finding the server(s) because their DNS is wrong and can't find them. Simply specifying these DNS servers on the firewall/DHCP lease is not enough, there is a place to specify this for VPN clients.

In some cases the VPN proves too slow for this and the DNS queries time out, thus you may need to add the server names and FQDN names to the local HOSTS file as such...
computer-name 192.168.5.5
computer-name.netbios-domain-name.domain.tld 192.168.5.5
JDmailNY
join:2007-12-02
Pearl River, NY

JDmailNY

Member

Ya, know I never thought about it in terms of setting a host file, which sound like a good idea. I also just got off the phone with Cisco, and they mentioned this could be a Microsoft issue with active directory, because users are actually attempting to push a login script accross the vpn to their worstation after they have vpned in.- I going to post something with MS. God Bless and thanks for everyone pointing me in the right direction.

ua_hockey
join:2003-08-07
Columbus, OH

ua_hockey

Member

You never say whether the issue is login script related or dns related (or both). How are IP addresses handed out to VPN clients? Via a DHCP server or through an IP Pool? If through a DHCP server, define your dns servers in the scope. If through a local IP pool, you'll need to define your DNS servers under the group policy in the ASA. Once you have connected, can you manually map the drives, or manually run the login script (assuming the drive mappings are done via login script)? Can you do something like this: \\domain.controller\netlogon\login.script? If you can, and the drives are there, then your issue is with the login script not running. If not, the issue is likely name resolution (see previous entries for dns/host file settings). If the issue is that the login script doesnt run, you have some choices:
1). configure the VPN client to run before login, and log into the VPN prior to logging into windows
2). create a shortcut pointing to the path of the login script and have the users run the shortcut after the connect to the VPN
3). create a custom script that will run after the VPN client connects.

BTW, you dont have to point at a specific domain controller, assuming name resolution works, you can do something like this: \\dns.name.of.domain\netlogon\logon.script

That will allow the client to use the closest domain controller, which can be controlled with the Active Directory Sites and Services MMC plugin.
JDmailNY
join:2007-12-02
Pearl River, NY

JDmailNY

Member

said by ua_hockey:

You never say whether the issue is login script related or dns related (or both). How are IP addresses handed out to VPN clients? Via a DHCP server or through an IP Pool? If through a DHCP server, define your dns servers in the scope. If through a local IP pool, you'll need to define your DNS servers under the group policy in the ASA. Once you have connected, can you manually map the drives, or manually run the login script (assuming the drive mappings are done via login script)? Can you do something like this: \\domain.controller\netlogon\login.script? If you can, and the drives are there, then your issue is with the login script not running. If not, the issue is likely name resolution (see previous entries for dns/host file settings). If the issue is that the login script doesnt run, you have some choices:
1). configure the VPN client to run before login, and log into the VPN prior to logging into windows
2). create a shortcut pointing to the path of the login script and have the users run the shortcut after the connect to the VPN
3). create a custom script that will run after the VPN client connects.

BTW, you dont have to point at a specific domain controller, assuming name resolution works, you can do something like this: \\dns.name.of.domain\netlogon\logon.script

That will allow the client to use the closest domain controller, which can be controlled with the Active Directory Sites and Services MMC plugin.
I took the advice of what everyone said and you guys are great. I added our servers dns numbers to the vpn firewall, then I configured the Cisco vpn client to connect to our network before a user would log into their home workstation. When they logged in they go their network drives. Thanks to you guys. God Bless and Have A Great day