Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX and DCOM

am soliciting your input on a problem that we are having hoping that you may be able to assist. Currently we have a PIX with three interfaces Inside, Outside and DMZ. We have a web server sitting on the DMZ that is hosting an a site allowing users to access HR/Payroll information from a SQL server that sits inside our network. The web site application uses a DCOM interface to connect to the SQL server utilizing several TCP ports through the firewall. Our problem is because the DMZ security is set at 50 and the Inside interface is set at 100 we have to use static mappings from the DMZ to the inside interface. DCOM doesn’t support address translation going through a firewall, so the range of ports that the web server needs to establish a connection with never connect (ports 5000-5200). The way I understand it the reason is because DCOM uses the RAW IP address in it’s “marshaling” packets (???) and since PIX translates the address it cannot connect to the server by the RAW address. After talking to Cisco TAC, they showed me how to make the RAW address of the SQL server appear as the static mapping on the DMZ, thus allowing me to ping the RAW address from the DMZ. I thought this would solve my problems, but unfortunately it didn’t. I think DCOM not only uses the RAW IP address but it also uses the RAW MAC address. After installing a software sniffer on the web server, I found out that even though data is being transmitted between the DMZ and inside server the MAC addresses are different.. When I ping the inside server from the DMZ and watch the packets I notice that the MAC address that appears to be associated with the SQL server IP address is actually the MAC address of the DMZ interface on the PIX and not the NIC on the SQL server. Just as a test to make sure the web server can talk to the SQL server, I moved the web server inside my network and everything works fine.

1 REPLY
Community Member

Re: PIX and DCOM

If you're not using NAT and the PIX is proxy arping for the real server, yes, the mac address will change. If there is some form of marshalling on the packet at layer 2 and layer 3, you've probably only corrected layer 3. There is nothing on the PIX that will workaround this issue. You'll have to rethink the topology or talk to the DCOM vendor.

114
Views
0
Helpful
1
Replies
CreatePlease to create content