cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
244
Views
0
Helpful
2
Replies

IBM Main frame access behind FWSM

arumugasamy
Level 1
Level 1

Hello,

The users are accessing the IBM main frame via Microsoft proxy server.The url to access the contents as http://10.10.10.10/sdhtml/tn3270.htm.

When the users are moving behind the FWSM, They can get only the authentication page and after that blank page appeared instead of the CLI of the main frame.

Is there any configuration need to be done on fwsm. Right now the firewall configured with static identity NAT bet all the higher to lower security interfaces.

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

with acl on all interfaces with Full ip any any access.

Thanks

Sami

2 Replies 2

Hi Sami,

What exactly is supposed to happen after the user successfully authenticates? Is the CLI displayed over the same TCP/80 connection? Or does this information arrive on a child connection on a different port? If so, how do we determine this port (i.e. is it static/consistent or do we negotiate it over the TCP/80 session)?

Also, do you see any syslogs being generated when a user tries to connect to the CLI?

-Mike

Farrukh Haroon
VIP Alumni
VIP Alumni

Most probably the main frame app was written without stateful firewalls in mind. Therefore as robert pointed out most probably its opening a secondary connection from server to client after the 'initial' connection. One way would be to connect in the same subnet as the main frame (without the firewall in the path) and observe the connections opened between the client/server. You could also use a packet sniffer to better analyze the flow.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: