?
Solved

Opening ports for an app - not getting 2 way communication - I THINK!

Posted on 2004-10-13
4
Medium Priority
?
203 Views
Last Modified: 2010-04-09
Ok -
Here's the deal.  I have an application hosted in my companies hosting center.  They are setup with a private network - separate from the rest of the company.  They have external address that are NAT'd to an internal network - 10.x.x.x

I'm not sure of the version - but i know it's a late model PIX that's being used as the firwall.

So- my application needs ports 20000 and 20001 open.  They have opened the ports.  (I can acutally test port 20000 by telneting to it - and it gives me access)

Now the app vendor is telling me that the firewall config needs to be "tweaked" possibly with filters to ensure that the outgoing packets can get back through the firewall.  I just want to run this by you to see if that makes sense.  My hosting guy says that they don't do any "egress filtering".

Does this make sense that I'll need to have him add a specific command to allow these ports to get back out?  I'm not sure of the exact command he's using now - but when I saw it it was something like allow ports range 20000 200001, etc...

Thanks,
0
Comment
Question by:fixxman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 252 total points
ID: 12302755
I'm guessing the app works by you sending stuff on 20000 and getting answers back on 20001.
Even if the vendor doesn't do egress filtering, you could still have problems in two places
o  Your own company's firewall might block the traffic because it doesn't know that the 20001 return traffic is associated with the call you made on 20000 and thinks this should be blocked
o  The NAT device (assuming the NAT isn't being done in the firewall) also might not know that the 20001 traffic is associated with the call you made on 20000 not know where to send it

Firewalls and NAT devices typically have special code to deal with well known things that do such "backward" connections (such as active-mode FTP and H.323 telephony).

It may be very difficult to get them to handle other applications that do such evilness.
0
 
LVL 1

Assisted Solution

by:JEEGO
JEEGO earned 248 total points
ID: 12309435
How about creating  a STATIC NAT statement on the PIX using a dedicated external IP address & the internal IP address of App Server. Then create an ACL for the port 20000 and port 20001.

If this works then your can replace the STATIC NAT with a STATIC PAT, and check for functionality.

Although I have not run into exactly the same problem, I have experienced something quite similar with a SSL VPN device we were using to publish certain inhouse applications.

let me know the results
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question