cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2045
Views
0
Helpful
6
Replies

X-Ray images can't be browsed once placed Sectra PACS servers behind firewall

ccie16351
Level 1
Level 1

Hi,

to comply to hospital's rules, we moved Sectra PACS servers behind ASA-5585 Data Center firewall. 

The issue is, medical staff can't browse the images once PACS servers are behind the firewall.

 

The servers are pingable from workstations at the hospital campus but failed browse the x-ray images, things get back to normal once rolled backed the change

 

The firewall rules has been relaxed to allow ip traffic from the workstation we are using for testing to PACS security zone 

 

Appreciate your input

 

Thanks

Sam

   

6 Replies 6

Hi,

If your ACL is permitting traffic ok, then perhaps traffic could be unintentially NATTED?

Can you provide the output of "show nat detail" and let us know the source and destination IP addresses.

Can you run packet-tracer from the CLI to simulate the traffic and provide the output for review.


HTH

 

Hi

there is no nat, firewall is DataCenter running software image 9.6.  NAT is disabled by default 

 

packet trace is not available. I did rolled back, I may collect on next try but ping is working

thanks

Can you provide the configuration of the ASA? And indicate the source and destination is addresses of the devices in question.

Hi

Thank you so much for your interest. I have attachedg ASA configuration. The x-ray servers (destination) are 172.16.34.0 network and the source is any IPv4 address coming from the hospital campus

 

I am suspecting the IPS, it could be halting the traffic or probably the MTU size, x-ray (PACS) might require jump frame. Anyway, I am waiting for your assessment.

 

Thanks

 

 

 

 

The X-Ray server (destination) is residing in OUTSIDE interface. where is the source ip addresses are coming from? you have to provide more information in more clear format. we cant help you without having a clear understating. need more information to help you.

 

I am curious if your destination is outside interface and if you source ip addresses are behind firewall in that case you might need NAT/ACLs in place.

 

looking into your configuration "Interface Port-channel10.333 SZ_333" is in shutdown.

 

can you show us the output of this command

packet-tracer input OUTSIDE tcp 192.168.100.25 12345 172.16.34.52 443

*192.168.100.25 is your source ip address
please do not forget to rate.

Hi 

the destination server looks as if it is in the Outside because I rolled back the change, until I figure out what is the problem

 

Thanks

 

 

Review Cisco Networking for a $25 gift card