Corba Through a PIX Firewall

Unanswered Question
Apr 26th, 2007

They are putting a PIX firewall between the test and production networks, but our client systems access Corba services on the servers which will be behind the firewall. So far they've come up with all non-priv ports permitted in and out! Can Cisco PIX filter (permit) Corba based on the IIOP protocol?

Thanks Russ

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Thu, 04/26/2007 - 19:30

Hello russel,

I was just doing a google on your query, and found an important document

http://www-128.ibm.com/developerworks/ibm/library/it/it-1001art37/

One of the important things you need to consider when you have the IIOP clients on a different subnet is that "the IIOP does not work with NAT enabled". hence you need to disable nat, ie do a static on the same IP.

static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

Once you do this, you just need to have the required ACL's to allow IIOP protocol from a lower security to a higher security zone. the IIOP port numbers can be seen from the following URL:

http://www.networksorcery.com/enp/protocol/ip/ports00000.htm

So, get going .. if you have the correct NAT, ACL etc, this should ork fine...

Hope this helps.. all the best. rate replies if found useful..

Raj

russell.haskins... Fri, 04/27/2007 - 07:22

Raj,

Thanks for the reply.

They have the Well Known Ports open for us, it's that all of the non-privileged ports need to be open is the problem.

When the clients, outside the enclave contacts a server inside the enclave, the server starts a service which tries to come out of the enclave on an as yet undeterminable port. We tried to restrict the non-privileged ports used by the server services, but, it didn't work.

I have googled this extensively and have only found old (2002) responses, most mention needing all non-privileged ports open. Since there are no newer results I was hoping that there was a solution and therefore no more problems. I found an article that talked about application firewalling that could determine if the traffic was iiop or not, but, I can't find any other reference to that.

Russ...

sachinraja Tue, 05/01/2007 - 01:49

Hello russ,

I'm really not sure how this application will work, but NAT it seems is a considerable thing to consider. u should not do nat at any point.. one thing you can do is to do a "access-list deny any any log" at the end of your inside or outside interface and see what packets is the ASA exactly blocking and see if you can grant access to those ports...

i think the best guys to talk to are the application owners. with regards to the network level, we cant do much, and we will have to open/block whatever ports the application works.. if there are too many complication or too many UDP ports to open, i would prefer a IP any rule for this specific server, and get out of the issues :) this might anyway be your last resort..

Hope this helps.. all the best.. rate replies if found useful..

Raj

Actions

This Discussion