×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX and DCOM

Unanswered Question
Sep 4th, 2002
User Badges:

am soliciting your input on a problem that we are having hoping that you may be able to assist. Currently we have a PIX with three interfaces Inside, Outside and DMZ. We have a web server sitting on the DMZ that is hosting an a site allowing users to access HR/Payroll information from a SQL server that sits inside our network. The web site application uses a DCOM interface to connect to the SQL server utilizing several TCP ports through the firewall. Our problem is because the DMZ security is set at 50 and the Inside interface is set at 100 we have to use static mappings from the DMZ to the inside interface. DCOM doesn’t support address translation going through a firewall, so the range of ports that the web server needs to establish a connection with never connect (ports 5000-5200). The way I understand it the reason is because DCOM uses the RAW IP address in it’s “marshaling” packets (???) and since PIX translates the address it cannot connect to the server by the RAW address. After talking to Cisco TAC, they showed me how to make the RAW address of the SQL server appear as the static mapping on the DMZ, thus allowing me to ping the RAW address from the DMZ. I thought this would solve my problems, but unfortunately it didn’t. I think DCOM not only uses the RAW IP address but it also uses the RAW MAC address. After installing a software sniffer on the web server, I found out that even though data is being transmitted between the DMZ and inside server the MAC addresses are different.. When I ping the inside server from the DMZ and watch the packets I notice that the MAC address that appears to be associated with the SQL server IP address is actually the MAC address of the DMZ interface on the PIX and not the NIC on the SQL server. Just as a test to make sure the web server can talk to the SQL server, I moved the web server inside my network and everything works fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
j-block Wed, 09/11/2002 - 15:27
User Badges:

If you're not using NAT and the PIX is proxy arping for the real server, yes, the mac address will change. If there is some form of marshalling on the packet at layer 2 and layer 3, you've probably only corrected layer 3. There is nothing on the PIX that will workaround this issue. You'll have to rethink the topology or talk to the DCOM vendor.

Actions

This Discussion