Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DLSW and Firewall

Good Day;

Can I do configure dlsw over a Pix Firewall?

Wich port i need open in the pix?

What IOS need the Pix?

Thank You very much

h

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: DLSW and Firewall

Hi,

yes you can use dlsw through a firewall.

for a standard dlsw version 1 peer, rfc1795, the destination tcp port is 2065.

Dlsw version 1 is the default for cisco routers.

Cisco routers use as local tcp port a port number above 11000.

If you need priority peers than you need additional to open the tcp ports 1981, 1982, 1983.

On top of that you need to consider a couple of extra steps.

Cisco dlsw by default is transmitting some messages, i.e. canureach, icanreach, via udp. The udp destination port is 2067 but we use the port number 0 as source port. Some firewalls dont like this. in that case configure on the cisco router running dlsw:

dlsw udp-disable

and then all traffic will run through the tcp session.

thanks...

Matthias

2 REPLIES
Cisco Employee

Re: DLSW and Firewall

Hi,

yes you can use dlsw through a firewall.

for a standard dlsw version 1 peer, rfc1795, the destination tcp port is 2065.

Dlsw version 1 is the default for cisco routers.

Cisco routers use as local tcp port a port number above 11000.

If you need priority peers than you need additional to open the tcp ports 1981, 1982, 1983.

On top of that you need to consider a couple of extra steps.

Cisco dlsw by default is transmitting some messages, i.e. canureach, icanreach, via udp. The udp destination port is 2067 but we use the port number 0 as source port. Some firewalls dont like this. in that case configure on the cisco router running dlsw:

dlsw udp-disable

and then all traffic will run through the tcp session.

thanks...

Matthias

New Member

Re: DLSW and Firewall

I have done this on a PIX 515 with IOS 6.1(4).

I had a lower version orginally and had to upgrade due to the broadcast on port 0.

But tradionally DLSW+ uses port 2065.

I also had issues with NAt'd - the way I understand that DLSW works with CISCO is that the higher IP addresses takes over the control. My issue was that the the IP I had to reach was really a 172. network but nat'd thru the f/wall as a 10.103 network. the IP on the inside was a 10.192. So the 10.192. though he was higher than the 10.103 and the 172. IP thought he was higher than the 10.192.

Hope this helps - good luck.

698
Views
0
Helpful
2
Replies
CreatePlease login to create content