Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
5
Replies

Unable to route SNA traffic through PIX

kev_jacob
Level 1
Level 1

‎09-17-2005 11:53 PM - edited ‎02-21-2020 12:24 AM

Hi. I am helping out someone with network consultancy. We have come across a scenario where the PIX outside, Inside and DMZ interfaces are all connected on one common 3512 Layer 2 switch which has only the default vlan. Strange! but when invistigated further they said that couple of years back it was designed this way because they have an IBM server in the DMZ which uses SNA traffic for communication. SNA traffic does not route through the PIX directly because it's a non-routable protocol. Is anyone aware of this kind of a scenario? Is there any fixup or any possible way to send the SNA traffic through the PIX directly without using a layer2 medium for communication. We have suggested them to create VLAN's on the switch and configure Bridge-groups between them to avoid the broadcasts on the switch. This is our solution for now to avoid all the loops and congestion on their network because of the bad design. We would prefer if we can remove the l2 switch and allow all the connections directly through the PIX if we could find a sloution for routing SNA traffic through PIX. Any advice?

Thanks & Regards

Kevin.

0 Helpful
5 Replies 5

rais
Level 7
Level 7

‎09-18-2005 03:53 PM

SNA is not IP unless you're using DLSW/STUN and then you can put this link outside the firewall. However, Serial links from the router may have to be connected directly to the IBM server.

Thanks.

0 Helpful

kev_jacob
Level 1
Level 1
In response to rais

‎09-20-2005 04:25 AM

Hi Rais,

Thanks for you reply.

Is this method that you suggested the best and most secure design with respect to IBM SNA traffic or are there any other design options as well.

Rgds

Kevin

0 Helpful

kev_jacob
Level 1
Level 1
In response to kev_jacob

‎09-21-2005 05:15 AM

Hi Rais,

In the setup we are doing DLSW peering in our Cisco 3640 Router, the config is as follows:

source-bridge ring-group 100

source-bridge transparent 100 14 1 5

dlsw local-peer peer-id 10.2.24.1

dlsw remote-peer 0 tcp 10.10.254.22

dlsw remote-peer 0 tcp 10.10.254.9

dlsw bridge-group 5

and this Router is connected to PIX 515 (Unrestricted License) . Is there any way to pass these SNA/DLSW traffic through the PIX ?

Thanks

Kevin

0 Helpful

rais
Level 7
Level 7
In response to kev_jacob

‎09-21-2005 05:42 AM

If the router terminating the DLSW can be put behind the firewall then yes. You have to open up tcp port 2067.

Thanks.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to kev_jacob

‎09-21-2005 06:52 PM

Kevin

The configuration that you have here will encapsulate the SNA in an IP packet. Your config specifies to use TCP encapsulation. By default DLSw uses port 2065 for TCP encapsulation. So after the router does its DLSw thing the PIX should only see IP packets with TCP port 2065 and will not see SNA.

So on your PIX make sure that there are rules that permit traffic with source address 10.2.24.1 and destination address of 10.10.254.22 or 10.10.254.9 and TCP destination port of 2065. You would also need to be sure that the PIX will permit return traffic.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card