Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
2
Replies

DLSW and Firewall

Go to solution
hernan-g
Level 1
Level 1

‎01-06-2004 08:38 AM

Good Day;

Can I do configure dlsw over a Pix Firewall?

Wich port i need open in the pix?

What IOS need the Pix?

Thank You very much

h

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mbinzer
Cisco Employee
Cisco Employee

‎01-06-2004 10:34 AM

Hi,

yes you can use dlsw through a firewall.

for a standard dlsw version 1 peer, rfc1795, the destination tcp port is 2065.

Dlsw version 1 is the default for cisco routers.

Cisco routers use as local tcp port a port number above 11000.

If you need priority peers than you need additional to open the tcp ports 1981, 1982, 1983.

On top of that you need to consider a couple of extra steps.

Cisco dlsw by default is transmitting some messages, i.e. canureach, icanreach, via udp. The udp destination port is 2067 but we use the port number 0 as source port. Some firewalls dont like this. in that case configure on the cisco router running dlsw:

dlsw udp-disable

and then all traffic will run through the tcp session.

thanks...

Matthias

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mbinzer
Cisco Employee
Cisco Employee

‎01-06-2004 10:34 AM

Hi,

yes you can use dlsw through a firewall.

for a standard dlsw version 1 peer, rfc1795, the destination tcp port is 2065.

Dlsw version 1 is the default for cisco routers.

Cisco routers use as local tcp port a port number above 11000.

If you need priority peers than you need additional to open the tcp ports 1981, 1982, 1983.

On top of that you need to consider a couple of extra steps.

Cisco dlsw by default is transmitting some messages, i.e. canureach, icanreach, via udp. The udp destination port is 2067 but we use the port number 0 as source port. Some firewalls dont like this. in that case configure on the cisco router running dlsw:

dlsw udp-disable

and then all traffic will run through the tcp session.

thanks...

Matthias

0 Helpful

Go to solution
bellefontainea
Level 1
Level 1

‎01-20-2005 04:57 AM

I have done this on a PIX 515 with IOS 6.1(4).

I had a lower version orginally and had to upgrade due to the broadcast on port 0.

But tradionally DLSW+ uses port 2065.

I also had issues with NAt'd - the way I understand that DLSW works with CISCO is that the higher IP addresses takes over the control. My issue was that the the IP I had to reach was really a 172. network but nat'd thru the f/wall as a 10.103 network. the IP on the inside was a 10.192. So the 10.192. though he was higher than the 10.103 and the 172. IP thought he was higher than the 10.192.

Hope this helps - good luck.

0 Helpful
Customers Also Viewed These Support Documents