01-06-2004 08:38 AM
Good Day;
Can I do configure dlsw over a Pix Firewall?
Wich port i need open in the pix?
What IOS need the Pix?
Thank You very much
h
Solved! Go to Solution.
01-06-2004 10:34 AM
Hi,
yes you can use dlsw through a firewall.
for a standard dlsw version 1 peer, rfc1795, the destination tcp port is 2065.
Dlsw version 1 is the default for cisco routers.
Cisco routers use as local tcp port a port number above 11000.
If you need priority peers than you need additional to open the tcp ports 1981, 1982, 1983.
On top of that you need to consider a couple of extra steps.
Cisco dlsw by default is transmitting some messages, i.e. canureach, icanreach, via udp. The udp destination port is 2067 but we use the port number 0 as source port. Some firewalls dont like this. in that case configure on the cisco router running dlsw:
dlsw udp-disable
and then all traffic will run through the tcp session.
thanks...
Matthias
01-06-2004 10:34 AM
Hi,
yes you can use dlsw through a firewall.
for a standard dlsw version 1 peer, rfc1795, the destination tcp port is 2065.
Dlsw version 1 is the default for cisco routers.
Cisco routers use as local tcp port a port number above 11000.
If you need priority peers than you need additional to open the tcp ports 1981, 1982, 1983.
On top of that you need to consider a couple of extra steps.
Cisco dlsw by default is transmitting some messages, i.e. canureach, icanreach, via udp. The udp destination port is 2067 but we use the port number 0 as source port. Some firewalls dont like this. in that case configure on the cisco router running dlsw:
dlsw udp-disable
and then all traffic will run through the tcp session.
thanks...
Matthias
01-20-2005 04:57 AM
I have done this on a PIX 515 with IOS 6.1(4).
I had a lower version orginally and had to upgrade due to the broadcast on port 0.
But tradionally DLSW+ uses port 2065.
I also had issues with NAt'd - the way I understand that DLSW works with CISCO is that the higher IP addresses takes over the control. My issue was that the the IP I had to reach was really a 172. network but nat'd thru the f/wall as a 10.103 network. the IP on the inside was a 10.192. So the 10.192. though he was higher than the 10.103 and the 172. IP thought he was higher than the 10.192.
Hope this helps - good luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide