Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IBM Main frame access behind FWSM

Hello,

The users are accessing the IBM main frame via Microsoft proxy server.The url to access the contents as http://10.10.10.10/sdhtml/tn3270.htm.

When the users are moving behind the FWSM, They can get only the authentication page and after that blank page appeared instead of the CLI of the main frame.

Is there any configuration need to be done on fwsm. Right now the firewall configured with static identity NAT bet all the higher to lower security interfaces.

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

with acl on all interfaces with Full ip any any access.

Thanks

Sami

2 REPLIES

Re: IBM Main frame access behind FWSM

Hi Sami,

What exactly is supposed to happen after the user successfully authenticates? Is the CLI displayed over the same TCP/80 connection? Or does this information arrive on a child connection on a different port? If so, how do we determine this port (i.e. is it static/consistent or do we negotiate it over the TCP/80 session)?

Also, do you see any syslogs being generated when a user tries to connect to the CLI?

-Mike

Re: IBM Main frame access behind FWSM

Most probably the main frame app was written without stateful firewalls in mind. Therefore as robert pointed out most probably its opening a secondary connection from server to client after the 'initial' connection. One way would be to connect in the same subnet as the main frame (without the firewall in the path) and observe the connections opened between the client/server. You could also use a packet sniffer to better analyze the flow.

Regards

Farrukh

120
Views
0
Helpful
2
Replies
CreatePlease to create content