04-26-2007 01:12 PM - edited 03-11-2019 03:05 AM
They are putting a PIX firewall between the test and production networks, but our client systems access Corba services on the servers which will be behind the firewall. So far they've come up with all non-priv ports permitted in and out! Can Cisco PIX filter (permit) Corba based on the IIOP protocol?
Thanks Russ
04-26-2007 07:30 PM
Hello russel,
I was just doing a google on your query, and found an important document
http://www-128.ibm.com/developerworks/ibm/library/it/it-1001art37/
One of the important things you need to consider when you have the IIOP clients on a different subnet is that "the IIOP does not work with NAT enabled". hence you need to disable nat, ie do a static on the same IP.
static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255
Once you do this, you just need to have the required ACL's to allow IIOP protocol from a lower security to a higher security zone. the IIOP port numbers can be seen from the following URL:
http://www.networksorcery.com/enp/protocol/ip/ports00000.htm
So, get going .. if you have the correct NAT, ACL etc, this should ork fine...
Hope this helps.. all the best. rate replies if found useful..
Raj
04-27-2007 07:22 AM
Raj,
Thanks for the reply.
They have the Well Known Ports open for us, it's that all of the non-privileged ports need to be open is the problem.
When the clients, outside the enclave contacts a server inside the enclave, the server starts a service which tries to come out of the enclave on an as yet undeterminable port. We tried to restrict the non-privileged ports used by the server services, but, it didn't work.
I have googled this extensively and have only found old (2002) responses, most mention needing all non-privileged ports open. Since there are no newer results I was hoping that there was a solution and therefore no more problems. I found an article that talked about application firewalling that could determine if the traffic was iiop or not, but, I can't find any other reference to that.
Russ...
05-01-2007 01:49 AM
Hello russ,
I'm really not sure how this application will work, but NAT it seems is a considerable thing to consider. u should not do nat at any point.. one thing you can do is to do a "access-list deny any any log" at the end of your inside or outside interface and see what packets is the ASA exactly blocking and see if you can grant access to those ports...
i think the best guys to talk to are the application owners. with regards to the network level, we cant do much, and we will have to open/block whatever ports the application works.. if there are too many complication or too many UDP ports to open, i would prefer a IP any rule for this specific server, and get out of the issues :) this might anyway be your last resort..
Hope this helps.. all the best.. rate replies if found useful..
Raj
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: