Unable to route SNA traffic through PIX

Unanswered Question
Sep 17th, 2005
User Badges:

Hi. I am helping out someone with network consultancy. We have come across a scenario where the PIX outside, Inside and DMZ interfaces are all connected on one common 3512 Layer 2 switch which has only the default vlan. Strange! but when invistigated further they said that couple of years back it was designed this way because they have an IBM server in the DMZ which uses SNA traffic for communication. SNA traffic does not route through the PIX directly because it's a non-routable protocol. Is anyone aware of this kind of a scenario? Is there any fixup or any possible way to send the SNA traffic through the PIX directly without using a layer2 medium for communication. We have suggested them to create VLAN's on the switch and configure Bridge-groups between them to avoid the broadcasts on the switch. This is our solution for now to avoid all the loops and congestion on their network because of the bad design. We would prefer if we can remove the l2 switch and allow all the connections directly through the PIX if we could find a sloution for routing SNA traffic through PIX. Any advice?


Thanks & Regards

Kevin.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rais Sun, 09/18/2005 - 15:53
User Badges:
  • Silver, 250 points or more

SNA is not IP unless you're using DLSW/STUN and then you can put this link outside the firewall. However, Serial links from the router may have to be connected directly to the IBM server.


Thanks.

kev_jacob Tue, 09/20/2005 - 04:25
User Badges:

Hi Rais,


Thanks for you reply.


Is this method that you suggested the best and most secure design with respect to IBM SNA traffic or are there any other design options as well.


Rgds

Kevin

kev_jacob Wed, 09/21/2005 - 05:15
User Badges:

Hi Rais,


In the setup we are doing DLSW peering in our Cisco 3640 Router, the config is as follows:


source-bridge ring-group 100

source-bridge transparent 100 14 1 5

dlsw local-peer peer-id 10.2.24.1

dlsw remote-peer 0 tcp 10.10.254.22

dlsw remote-peer 0 tcp 10.10.254.9

dlsw bridge-group 5


and this Router is connected to PIX 515 (Unrestricted License) . Is there any way to pass these SNA/DLSW traffic through the PIX ?





Thanks

Kevin

rais Wed, 09/21/2005 - 05:42
User Badges:
  • Silver, 250 points or more

If the router terminating the DLSW can be put behind the firewall then yes. You have to open up tcp port 2067.


Thanks.

Richard Burts Wed, 09/21/2005 - 18:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


The configuration that you have here will encapsulate the SNA in an IP packet. Your config specifies to use TCP encapsulation. By default DLSw uses port 2065 for TCP encapsulation. So after the router does its DLSw thing the PIX should only see IP packets with TCP port 2065 and will not see SNA.


So on your PIX make sure that there are rules that permit traffic with source address 10.2.24.1 and destination address of 10.10.254.22 or 10.10.254.9 and TCP destination port of 2065. You would also need to be sure that the PIX will permit return traffic.


HTH


Rick

Actions

This Discussion