IBM Main frame access behind FWSM

Unanswered Question
Aug 11th, 2008
User Badges:

Hello,


The users are accessing the IBM main frame via Microsoft proxy server.The url to access the contents as http://10.10.10.10/sdhtml/tn3270.htm.

When the users are moving behind the FWSM, They can get only the authentication page and after that blank page appeared instead of the CLI of the main frame.

Is there any configuration need to be done on fwsm. Right now the firewall configured with static identity NAT bet all the higher to lower security interfaces.

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

with acl on all interfaces with Full ip any any access.

Thanks

Sami

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robertson.michael Fri, 08/15/2008 - 18:01
User Badges:
  • Silver, 250 points or more

Hi Sami,


What exactly is supposed to happen after the user successfully authenticates? Is the CLI displayed over the same TCP/80 connection? Or does this information arrive on a child connection on a different port? If so, how do we determine this port (i.e. is it static/consistent or do we negotiate it over the TCP/80 session)?


Also, do you see any syslogs being generated when a user tries to connect to the CLI?


-Mike

Farrukh Haroon Sat, 08/16/2008 - 12:34
User Badges:
  • Red, 2250 points or more

Most probably the main frame app was written without stateful firewalls in mind. Therefore as robert pointed out most probably its opening a secondary connection from server to client after the 'initial' connection. One way would be to connect in the same subnet as the main frame (without the firewall in the path) and observe the connections opened between the client/server. You could also use a packet sniffer to better analyze the flow.


Regards


Farrukh

Actions

This Discussion