Solved

Opening ports for an app - not getting 2 way communication - I THINK!

Posted on 2004-10-13
4
199 Views
Last Modified: 2010-04-09
Ok -
Here's the deal.  I have an application hosted in my companies hosting center.  They are setup with a private network - separate from the rest of the company.  They have external address that are NAT'd to an internal network - 10.x.x.x

I'm not sure of the version - but i know it's a late model PIX that's being used as the firwall.

So- my application needs ports 20000 and 20001 open.  They have opened the ports.  (I can acutally test port 20000 by telneting to it - and it gives me access)

Now the app vendor is telling me that the firewall config needs to be "tweaked" possibly with filters to ensure that the outgoing packets can get back through the firewall.  I just want to run this by you to see if that makes sense.  My hosting guy says that they don't do any "egress filtering".

Does this make sense that I'll need to have him add a specific command to allow these ports to get back out?  I'm not sure of the exact command he's using now - but when I saw it it was something like allow ports range 20000 200001, etc...

Thanks,
0
Comment
Question by:fixxman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 63 total points
ID: 12302755
I'm guessing the app works by you sending stuff on 20000 and getting answers back on 20001.
Even if the vendor doesn't do egress filtering, you could still have problems in two places
o  Your own company's firewall might block the traffic because it doesn't know that the 20001 return traffic is associated with the call you made on 20000 and thinks this should be blocked
o  The NAT device (assuming the NAT isn't being done in the firewall) also might not know that the 20001 traffic is associated with the call you made on 20000 not know where to send it

Firewalls and NAT devices typically have special code to deal with well known things that do such "backward" connections (such as active-mode FTP and H.323 telephony).

It may be very difficult to get them to handle other applications that do such evilness.
0
 
LVL 1

Assisted Solution

by:JEEGO
JEEGO earned 62 total points
ID: 12309435
How about creating  a STATIC NAT statement on the PIX using a dedicated external IP address & the internal IP address of App Server. Then create an ACL for the port 20000 and port 20001.

If this works then your can replace the STATIC NAT with a STATIC PAT, and check for functionality.

Although I have not run into exactly the same problem, I have experienced something quite similar with a SSL VPN device we were using to publish certain inhouse applications.

let me know the results
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question