09-17-2005 11:53 PM - edited 02-21-2020 12:24 AM
Hi. I am helping out someone with network consultancy. We have come across a scenario where the PIX outside, Inside and DMZ interfaces are all connected on one common 3512 Layer 2 switch which has only the default vlan. Strange! but when invistigated further they said that couple of years back it was designed this way because they have an IBM server in the DMZ which uses SNA traffic for communication. SNA traffic does not route through the PIX directly because it's a non-routable protocol. Is anyone aware of this kind of a scenario? Is there any fixup or any possible way to send the SNA traffic through the PIX directly without using a layer2 medium for communication. We have suggested them to create VLAN's on the switch and configure Bridge-groups between them to avoid the broadcasts on the switch. This is our solution for now to avoid all the loops and congestion on their network because of the bad design. We would prefer if we can remove the l2 switch and allow all the connections directly through the PIX if we could find a sloution for routing SNA traffic through PIX. Any advice?
Thanks & Regards
Kevin.
09-18-2005 03:53 PM
SNA is not IP unless you're using DLSW/STUN and then you can put this link outside the firewall. However, Serial links from the router may have to be connected directly to the IBM server.
Thanks.
09-20-2005 04:25 AM
Hi Rais,
Thanks for you reply.
Is this method that you suggested the best and most secure design with respect to IBM SNA traffic or are there any other design options as well.
Rgds
Kevin
09-21-2005 05:15 AM
Hi Rais,
In the setup we are doing DLSW peering in our Cisco 3640 Router, the config is as follows:
source-bridge ring-group 100
source-bridge transparent 100 14 1 5
dlsw local-peer peer-id 10.2.24.1
dlsw remote-peer 0 tcp 10.10.254.22
dlsw remote-peer 0 tcp 10.10.254.9
dlsw bridge-group 5
and this Router is connected to PIX 515 (Unrestricted License) . Is there any way to pass these SNA/DLSW traffic through the PIX ?
Thanks
Kevin
09-21-2005 05:42 AM
If the router terminating the DLSW can be put behind the firewall then yes. You have to open up tcp port 2067.
Thanks.
09-21-2005 06:52 PM
Kevin
The configuration that you have here will encapsulate the SNA in an IP packet. Your config specifies to use TCP encapsulation. By default DLSw uses port 2065 for TCP encapsulation. So after the router does its DLSw thing the PIX should only see IP packets with TCP port 2065 and will not see SNA.
So on your PIX make sure that there are rules that permit traffic with source address 10.2.24.1 and destination address of 10.10.254.22 or 10.10.254.9 and TCP destination port of 2065. You would also need to be sure that the PIX will permit return traffic.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide