Solved

Opening ports for an app - not getting 2 way communication - I THINK!

Posted on 2004-10-13
4
200 Views
Last Modified: 2010-04-09
Ok -
Here's the deal.  I have an application hosted in my companies hosting center.  They are setup with a private network - separate from the rest of the company.  They have external address that are NAT'd to an internal network - 10.x.x.x

I'm not sure of the version - but i know it's a late model PIX that's being used as the firwall.

So- my application needs ports 20000 and 20001 open.  They have opened the ports.  (I can acutally test port 20000 by telneting to it - and it gives me access)

Now the app vendor is telling me that the firewall config needs to be "tweaked" possibly with filters to ensure that the outgoing packets can get back through the firewall.  I just want to run this by you to see if that makes sense.  My hosting guy says that they don't do any "egress filtering".

Does this make sense that I'll need to have him add a specific command to allow these ports to get back out?  I'm not sure of the exact command he's using now - but when I saw it it was something like allow ports range 20000 200001, etc...

Thanks,
0
Comment
Question by:fixxman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 63 total points
ID: 12302755
I'm guessing the app works by you sending stuff on 20000 and getting answers back on 20001.
Even if the vendor doesn't do egress filtering, you could still have problems in two places
o  Your own company's firewall might block the traffic because it doesn't know that the 20001 return traffic is associated with the call you made on 20000 and thinks this should be blocked
o  The NAT device (assuming the NAT isn't being done in the firewall) also might not know that the 20001 traffic is associated with the call you made on 20000 not know where to send it

Firewalls and NAT devices typically have special code to deal with well known things that do such "backward" connections (such as active-mode FTP and H.323 telephony).

It may be very difficult to get them to handle other applications that do such evilness.
0
 
LVL 1

Assisted Solution

by:JEEGO
JEEGO earned 62 total points
ID: 12309435
How about creating  a STATIC NAT statement on the PIX using a dedicated external IP address & the internal IP address of App Server. Then create an ACL for the port 20000 and port 20001.

If this works then your can replace the STATIC NAT with a STATIC PAT, and check for functionality.

Although I have not run into exactly the same problem, I have experienced something quite similar with a SSL VPN device we were using to publish certain inhouse applications.

let me know the results
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question