3270 apps not working after pix insertion

rpalacio · ‎05-03-2004

hello,

my customer is having the ff;

users---6506---3640-----remote routers

the 6506 was also conncted to the HQ thru where the mainframe resides

6506--------infrared--------HQ-----mainframe

with the above scenario, the 3270 applications from both the remote clients and local users works perfect.

THE PROBLEM:

With the insertion of PIX between the 6506 and the 3640, 3270 no longer works at all.

users---6500---pix---3640------remote routerss

THINGS DONE:

1. permitted ip any any on the outside interface of the firewall

2. nat 0 is configured

3. no inside access-list (mean everything is permitted)

Note; DLSW are configured on 3640 and 6500

Any advise

ehirsel · ‎05-05-2004

The pix can only process ip frames - it cannot act as a bridge and work only at OSI layer 2.

Insure that the tcp encapsulation is chosen on the dlsw config on both the 3640 and the 6500.

Also make sure that you have a static (in,out) for the inside router (the 6500) because with dlsw it maybe that the outside router initiates the connection and you still need the static in addition to the acl on the outside interface to let the pix pass the traffic through.

If you want the 3640 to see the 6500 as the ip address truly is then try coding this:

static (in, out) 6500-ip 6500-ip netmask 255.255.255.255

This will work if your nat 0 statement is like this:

nat (inside) 0 0.0.0.0 0.0.0.0

If dlsw is set to use tcp encap then I would do the following:

Run the capture command on the inside interface and the outside interface - I assume that you are using pix 6.2 or higher code. Let me know what you see in the capture frames.

I hope this helps.

ehirsel · ‎05-05-2004

Correction - you can use udp as well as tcp encapsulation.

Also, if you are using dlsw+ version 2 with multicasting, then you will need to config the pix to particiapate multicast traffic, unless you send it via GRE tunnel between the 6500 and the 3640.

The static example I gave also may not work if the nat (inside) 0 0.0.0.0 0.0.0.0 is also present.

You can do either of the following:

nat (inside) 0 user-subnet-summary summary-mask

static (in, out) 6500-ip 6500-ip netmask 255.255.255.255 - which will work if the 6500-ip is not in the summary (for example users are on the 10/8 subnets but the 6500 ip is 192.168.1.4)

Or remove the nat and just code the static like so:

static (in, out) user-summary user-summary netmask

summary-mask - which will work if the users and the 6500 have an address in the 10/8 range. Then do a clear xlate after the static is made and the nat disappears. Static overrides nat and global.

rpalacio · ‎05-05-2004

1. if u say 6500-ip, are you saying about the SC0 ip address?

2. Do u know how to enable the multicast you are saying on the pix?

ehirsel · ‎05-06-2004

I am referring to the msfc or nffc interface ip address on the vlan that the pix inside interface resides on. The sc0 address is for management purposes only, it is not used for transit traffic.

I assume that the pix inside interface is connected to the 6500 and the outside interface connects to the 3640. What ip addresses did you use on the 3640 and 6500 before the pix was put in place?

The pix 6.3 doc at www.cisco.com gives good info about enabling the multicast feature on the pix.