Solved Windows 7 as an IPSec VPN client - firewall configuration

[Lea Massiot]

Hello,

Thank you for reading my post.

- I have set an ISAKMP/IPSEC VPN tunnel between two Cisco routers C1 and C2.
- M1 is a machine in C1's LAN.
- M2 is a machine in C2's LAN.
- M1 is running "Windows 7".
- M2 is running "Windows XP".

I would like to access M2's shares from M1 and vice versa through the tunnel.

I deactivated both firewalls on M1 and M2.
With these settings, M1 can access M2's shares and vice versa.

Now, if I turn on the firewall on M1, M2 can't access M1's shares anymore.

My question is the following:
what do I have to do in the firewall to have it work properly?

Thank you for your help and best regards.

 

[Kaktussoft]

Now, if I turn on the firewall on M1, M2 can't access M1's shares anymore.
=>So you turned on windows 7 firewall on M1? ths standard win7 firewall?

Can you still PING M1 from M2?

 

[Kaktussoft]

Hello,

Thank you for reading my post.

- I have set an ISAKMP/IPSEC VPN tunnel between two Cisco routers C1 and C2.
- M1 is a machine in C1's LAN.
- M2 is a machine in C2's LAN.
- M1 is running "Windows 7".
- M2 is running "Windows XP".

I would like to access M2's shares from M1 and vice versa through the tunnel.

I deactivated both firewalls on M1 and M2.
With these settings, M1 can access M2's shares and vice versa.

Now, if I turn on the firewall on M1, M2 can't access M1's shares anymore.

My question is the following:
what do I have to do in the firewall to have it work properly?

Thank you for your help and best regards.

So you made a tunnel between 2 cisco routers. Now all computers behind cisco1 and see all computers behind cisco2 and vice versa... correct? No special software is installed on computer itself... correct?

please post screenshot of network centre on win7 machine

 

[Lea Massiot]

Thank you for your answer.

Can you still PING M1 from M2?

Yes. And vice versa.

So you made a tunnel between 2 cisco routers.

Yes.

Now all computers behind cisco1 and see all computers behind cisco2 and vice versa... correct?

Yes, but only if the firewalls are turned off.

No special software is installed on computer itself... correct?

Correct. No special software is installed on the computers.

 

[Kaktussoft]

please post screenshot of network centre on Windows 7 machine

 

[Kaktussoft]

What is ip address of winxp machine and all other machines on that subnet?
192.168.x.0/24 I assume

So 192.168.x.1, 192.168.x.2, 192.168.x.3, 192.168.x.4 etcetera
Correct? if so, what is x?

 

[Lea Massiot]

C1's LAN: 192.168.1.0/24
C2's LAN: 192.168.0.0/24

I've created an Inbound Rule and an Outbound Rule to allow connection through UDP port 500.
Still not working.

BR.

 

[Kaktussoft]

C1's LAN: 192.168.1.0/24
C2's LAN: 192.168.0.0/24

I've created an Inbound Rule and an Outbound Rule to allow connection through UDP port 500.
Still not working.

BR.

Those port you probably found by reading documentation about he tunnel?! It's a tunnel between two csico routers........ pc doens't even know it!! Delete those rules!

 

[Kaktussoft]

Try this commands in elevated command prompt. These does not only allow file/printer sharing from local subnet but also from 192.168.0.0/24. Use copy/paste to prevent typing errors. 4 commands succeeded succesfully? Problem solved?

netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Session-In)" new remoteip=192.168.0.0/24,LocalSubnet 
netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Name-In)" new remoteip=192.168.0.0/24,LocalSubnet
netsh advfirewall firewall set rule name="File and Printer Sharing (NB-Datagram-In)" new remoteip=192.168.0.0/24,LocalSubnet
netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new remoteip=192.168.0.0/24,LocalSubnet

 

[Lea Massiot]

Hello and sorry for the very later answer.
You were right, it totally was a problem of "File and Printer Sharing" permissions scope that had to be extended to the other VPN end subnet.
Thank you.

 

[chrisV2]

Don't mean to bump an old thread - but holy Redmond -- this was exactly what I needed to get the Windows firewall to play nicely with my new VPN connection. I was not willing to turn off the firewall or allow "public" access to remote-desktop (which is a sledge-hammer way to get it to work).

This was perfect - thank you!!!