Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
978
Views
0
Helpful
3
Replies

Corba Through a PIX Firewall

russell.haskins
Level 1
Level 1

‎04-26-2007 01:12 PM - edited ‎03-11-2019 03:05 AM

They are putting a PIX firewall between the test and production networks, but our client systems access Corba services on the servers which will be behind the firewall. So far they've come up with all non-priv ports permitted in and out! Can Cisco PIX filter (permit) Corba based on the IIOP protocol?

Thanks Russ

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎04-26-2007 07:30 PM

Hello russel,

I was just doing a google on your query, and found an important document

http://www-128.ibm.com/developerworks/ibm/library/it/it-1001art37/

One of the important things you need to consider when you have the IIOP clients on a different subnet is that "the IIOP does not work with NAT enabled". hence you need to disable nat, ie do a static on the same IP.

static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

Once you do this, you just need to have the required ACL's to allow IIOP protocol from a lower security to a higher security zone. the IIOP port numbers can be seen from the following URL:

http://www.networksorcery.com/enp/protocol/ip/ports00000.htm

So, get going .. if you have the correct NAT, ACL etc, this should ork fine...

Hope this helps.. all the best. rate replies if found useful..

Raj

0 Helpful

russell.haskins
Level 1
Level 1
In response to sachinraja

‎04-27-2007 07:22 AM

Raj,

Thanks for the reply.

They have the Well Known Ports open for us, it's that all of the non-privileged ports need to be open is the problem.

When the clients, outside the enclave contacts a server inside the enclave, the server starts a service which tries to come out of the enclave on an as yet undeterminable port. We tried to restrict the non-privileged ports used by the server services, but, it didn't work.

I have googled this extensively and have only found old (2002) responses, most mention needing all non-privileged ports open. Since there are no newer results I was hoping that there was a solution and therefore no more problems. I found an article that talked about application firewalling that could determine if the traffic was iiop or not, but, I can't find any other reference to that.

Russ...

0 Helpful

sachinraja
Level 9
Level 9
In response to russell.haskins

‎05-01-2007 01:49 AM

Hello russ,

I'm really not sure how this application will work, but NAT it seems is a considerable thing to consider. u should not do nat at any point.. one thing you can do is to do a "access-list deny any any log" at the end of your inside or outside interface and see what packets is the ASA exactly blocking and see if you can grant access to those ports...

i think the best guys to talk to are the application owners. with regards to the network level, we cant do much, and we will have to open/block whatever ports the application works.. if there are too many complication or too many UDP ports to open, i would prefer a IP any rule for this specific server, and get out of the issues :) this might anyway be your last resort..

Hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card