Hi. I am helping out someone with network consultancy. We have come across a scenario where the PIX outside, Inside and DMZ interfaces are all connected on one common 3512 Layer 2 switch which has only the default vlan. Strange! but when invistigated further they said that couple of years back it was designed this way because they have an IBM server in the DMZ which uses SNA traffic for communication. SNA traffic does not route through the PIX directly because it's a non-routable protocol. Is anyone aware of this kind of a scenario? Is there any fixup or any possible way to send the SNA traffic through the PIX directly without using a layer2 medium for communication. We have suggested them to create VLAN's on the switch and configure Bridge-groups between them to avoid the broadcasts on the switch. This is our solution for now to avoid all the loops and congestion on their network because of the bad design. We would prefer if we can remove the l2 switch and allow all the connections directly through the PIX if we could find a sloution for routing SNA traffic through PIX. Any advice?
The configuration that you have here will encapsulate the SNA in an IP packet. Your config specifies to use TCP encapsulation. By default DLSw uses port 2065 for TCP encapsulation. So after the router does its DLSw thing the PIX should only see IP packets with TCP port 2065 and will not see SNA.
So on your PIX make sure that there are rules that permit traffic with source address 10.2.24.1 and destination address of 10.10.254.22 or 10.10.254.9 and TCP destination port of 2065. You would also need to be sure that the PIX will permit return traffic.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...