Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing GE Invision nuclear medicine application.

GE has a new version of its INVISION radiology imaging system. The app runs on Linux and I can not get it through our PIX 525 with 6.0.4 code. Has anyone out there succesfully passed this traffic. The common ports for the TCP connections are 2000, 2010, 2020, and 2220.

Thanks,

Patrick

4 REPLIES

Re: Allowing GE Invision nuclear medicine application.

Quick questions:

Are the packets unicast?

Is the server on the dmz or internal, where are the clients also?

Can you post the relevant configs (eg statics, acls, nats, globals etc)?

Steve

New Member

Re: Allowing GE Invision nuclear medicine application.

The server is located inside. The client or partner server is on the outside. The inside machine, 110, uses a static NAT to retain its public address. The outside machine, 109 , also uses a public address that has a conduit to allow all IP traffic inside. The statndard fixup is implemented. The packets are unicast. I hesitate to post the config for security reasons.

Re: Allowing GE Invision nuclear medicine application.

If the inside server initates the connections, you only need a nat to allow the access.

If the partner server initates the connections, you need a static, nat, and access-list.

eg. nat (inside) 0 access-list no-nat or {nat (inside) 0 x.x.x.x. 255.255.255.255}

static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255

access-list no-nat permit ip host x.x.x.x any/host y.y.y.y (where y.y.y.y is your partner server)

access-list 101 permit tcp host y.y.y.y host x.x.x.x eq 2000/2010/2020/2200

access-group 101 in interface outside

Steve

New Member

Re: Allowing GE Invision nuclear medicine application.

We have oneway communication from the inside out. The outside in communication is broken and I have no restrictions on traffic from the network the outside server 109 resides on. Sniffer traces of the communication show successfull syn, ack, and synacks taking place. But the application will not work unless they are outiside the firewall. A packet debug of the PIX for the source and destination turned up nothing except that the interfaces saw the packets or at least some of the packets. We have hundreds of machines including two mainframes and netbeui traffic accessing resources from these same subnets in both directions.

289
Views
4
Helpful
4
Replies