Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Corba Through a PIX Firewall

They are putting a PIX firewall between the test and production networks, but our client systems access Corba services on the servers which will be behind the firewall. So far they've come up with all non-priv ports permitted in and out! Can Cisco PIX filter (permit) Corba based on the IIOP protocol?

Thanks Russ

3 REPLIES

Re: Corba Through a PIX Firewall

Hello russel,

I was just doing a google on your query, and found an important document

http://www-128.ibm.com/developerworks/ibm/library/it/it-1001art37/

One of the important things you need to consider when you have the IIOP clients on a different subnet is that "the IIOP does not work with NAT enabled". hence you need to disable nat, ie do a static on the same IP.

static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

Once you do this, you just need to have the required ACL's to allow IIOP protocol from a lower security to a higher security zone. the IIOP port numbers can be seen from the following URL:

http://www.networksorcery.com/enp/protocol/ip/ports00000.htm

So, get going .. if you have the correct NAT, ACL etc, this should ork fine...

Hope this helps.. all the best. rate replies if found useful..

Raj

New Member

Re: Corba Through a PIX Firewall

Raj,

Thanks for the reply.

They have the Well Known Ports open for us, it's that all of the non-privileged ports need to be open is the problem.

When the clients, outside the enclave contacts a server inside the enclave, the server starts a service which tries to come out of the enclave on an as yet undeterminable port. We tried to restrict the non-privileged ports used by the server services, but, it didn't work.

I have googled this extensively and have only found old (2002) responses, most mention needing all non-privileged ports open. Since there are no newer results I was hoping that there was a solution and therefore no more problems. I found an article that talked about application firewalling that could determine if the traffic was iiop or not, but, I can't find any other reference to that.

Russ...

Re: Corba Through a PIX Firewall

Hello russ,

I'm really not sure how this application will work, but NAT it seems is a considerable thing to consider. u should not do nat at any point.. one thing you can do is to do a "access-list deny any any log" at the end of your inside or outside interface and see what packets is the ASA exactly blocking and see if you can grant access to those ports...

i think the best guys to talk to are the application owners. with regards to the network level, we cant do much, and we will have to open/block whatever ports the application works.. if there are too many complication or too many UDP ports to open, i would prefer a IP any rule for this specific server, and get out of the issues :) this might anyway be your last resort..

Hope this helps.. all the best.. rate replies if found useful..

Raj

622
Views
0
Helpful
3
Replies