Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 208
  • Last Modified:

Opening ports for an app - not getting 2 way communication - I THINK!

Ok -
Here's the deal.  I have an application hosted in my companies hosting center.  They are setup with a private network - separate from the rest of the company.  They have external address that are NAT'd to an internal network - 10.x.x.x

I'm not sure of the version - but i know it's a late model PIX that's being used as the firwall.

So- my application needs ports 20000 and 20001 open.  They have opened the ports.  (I can acutally test port 20000 by telneting to it - and it gives me access)

Now the app vendor is telling me that the firewall config needs to be "tweaked" possibly with filters to ensure that the outgoing packets can get back through the firewall.  I just want to run this by you to see if that makes sense.  My hosting guy says that they don't do any "egress filtering".

Does this make sense that I'll need to have him add a specific command to allow these ports to get back out?  I'm not sure of the exact command he's using now - but when I saw it it was something like allow ports range 20000 200001, etc...

Thanks,
0
fixxman
Asked:
fixxman
2 Solutions
 
chris_calabreseCommented:
I'm guessing the app works by you sending stuff on 20000 and getting answers back on 20001.
Even if the vendor doesn't do egress filtering, you could still have problems in two places
o  Your own company's firewall might block the traffic because it doesn't know that the 20001 return traffic is associated with the call you made on 20000 and thinks this should be blocked
o  The NAT device (assuming the NAT isn't being done in the firewall) also might not know that the 20001 traffic is associated with the call you made on 20000 not know where to send it

Firewalls and NAT devices typically have special code to deal with well known things that do such "backward" connections (such as active-mode FTP and H.323 telephony).

It may be very difficult to get them to handle other applications that do such evilness.
0
 
JEEGOCommented:
How about creating  a STATIC NAT statement on the PIX using a dedicated external IP address & the internal IP address of App Server. Then create an ACL for the port 20000 and port 20001.

If this works then your can replace the STATIC NAT with a STATIC PAT, and check for functionality.

Although I have not run into exactly the same problem, I have experienced something quite similar with a SSL VPN device we were using to publish certain inhouse applications.

let me know the results
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now