They are putting a PIX firewall between the test and production networks, but our client systems access Corba services on the servers which will be behind the firewall. So far they've come up with all non-priv ports permitted in and out! Can Cisco PIX filter (permit) Corba based on the IIOP protocol?
One of the important things you need to consider when you have the IIOP clients on a different subnet is that "the IIOP does not work with NAT enabled". hence you need to disable nat, ie do a static on the same IP.
They have the Well Known Ports open for us, it's that all of the non-privileged ports need to be open is the problem.
When the clients, outside the enclave contacts a server inside the enclave, the server starts a service which tries to come out of the enclave on an as yet undeterminable port. We tried to restrict the non-privileged ports used by the server services, but, it didn't work.
I have googled this extensively and have only found old (2002) responses, most mention needing all non-privileged ports open. Since there are no newer results I was hoping that there was a solution and therefore no more problems. I found an article that talked about application firewalling that could determine if the traffic was iiop or not, but, I can't find any other reference to that.
I'm really not sure how this application will work, but NAT it seems is a considerable thing to consider. u should not do nat at any point.. one thing you can do is to do a "access-list deny any any log" at the end of your inside or outside interface and see what packets is the ASA exactly blocking and see if you can grant access to those ports...
i think the best guys to talk to are the application owners. with regards to the network level, we cant do much, and we will have to open/block whatever ports the application works.. if there are too many complication or too many UDP ports to open, i would prefer a IP any rule for this specific server, and get out of the issues :) this might anyway be your last resort..
Hope this helps.. all the best.. rate replies if found useful..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...