Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
2
Replies

Enterprise Extender across PIX

m.kojder
Level 1
Level 1

‎03-02-2005 08:19 AM - edited ‎02-20-2020 11:59 PM

Currently we have a Cisco PIX 535, with version 6.3(3) on it.

The scenario is as follows: We have a newly-installed IBM z990 host-system that is running IBM's Enterprise Extender(EE). EE is basically IBM's HPR over IP. It allows SNA to be encapsulated in UDP packets. With the latest version, Sniffer traces are showing the addition of an 802.1q section in each packet that is being inserted to provide PriorityTosMapping. That section contains a VLAN ID of 0 and User Priority of 7. The host and firewall are connected via a Cisco FastHub400.

Now to the problem - the PIX firewall does not seem to acknowledge these packets and does not pass them through to a lower security interface. UDP from other applications passes through freely. There is no access-list on outbound traffic. I debugged IP packets on the PIX interface and was unable to see these incoming UDPs from the host, but was able to see them with a Sniffer (showing the proper gateway MAC address of the PIX as a destination).

Is it possible to somehow configure the PIX to allow these UDP packets to pass through? Or does the PIX think this is a trunk packet and ignores it due to the 802.1q header...?

Any one run into similar issues or have any thoughts?

Thanks.

0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎03-03-2005 08:02 AM

Were you using the capture ethernet-type 802.1q option? The command reference seems to imply that 802.1q packets will have the 802.1q tag skipped automagically, and go straight to the contents, so was there any chance that your capture access-list (if any) would not catch the resulting packets?

so the sniffer could see them on the cable the pix has for its low sec interface that should receive them?

do you have debug logging cranked up? Any IDS options configured on the pix - could they be getting dropped because the pix misidentifies them?

It is possible that these non standard packets could be getting dropped

0 Helpful

m.kojder
Level 1
Level 1
In response to mostiguy

‎03-07-2005 07:51 AM

As I suspected, the problem was the 802.1q header. I had our VTAM folks shut off the VLAN tagging and the problem went away - the traffic passed through no problem. Kind of an interesting problem though - I opened a ticket with Cisco last week and have yet to get any sort of definitive answer as to why it won't pass through - the evidence points to the PIX dropping the packet due to the tag.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card