Re: IBM Universal Connction & PIX Firewall -- MIDRANGE-L

OK, Let's dig in here.

Univeral connection is an outbound link established by the iSeries to IBM. It is a VPN connection. As such it needs to pass outbound several things to IBM. This is usually not a problem because by default if there is a NAT then the PIX will let the traffic flow outbound. IBM will need to be able to get in on Port 500 for the udp protocol as well as on the esp protocol. As you suspect your iSeries will need a dedicated NAT addtress (Static NAT in the PIX) becuase any port translations will break the VPN link. As you already found out remapping those ports directly to the iSeries broke your PIX VPN. This is because the PIX uses it's own external address for VPN connections. So in a nutshell these four lines need to be somewhere in your PIX:

First I give the IBM server a name so I don't have to type the address:

"name 207.25.252.196 IBMsrv"

Next associate the internal and external IPS for your iSeries. Note that 'insidenetworkname' varies based on your PIX config. In a simple PIX it will be 'inside'. Note that outside_ip_address and inside_ip_address must be replaced with IP Addresses

"static (insidenetworkname,outside) outside_ip_address inside_ip_address netmask 255.255.255.255 0 0"

And finally allow the proper inbound traffic to your iSeries.

"conduit permit esp host outside_ip_address host IBMsrv"
"conduit permit udp host outside_ip_address eq isakmp host IBMsrv"

Your PIX administrator will want to remove the maps that broke your VPN.

Good Luck!

- Larry

ps: Looks like I need to raise my rate!

Jeff Crosby wrote:

I don't know how a little company like ours gets on the bleeding edge of _anything_ but here we go again.

We spent many month getting the IBM Universal Connection ("UC") working. Had an open call with Rochester and talked many times to "Shawn" who was, and still is, extremely helpful. The IUC was fairly new, our setup wasn't directly addressed, but after some real improvements on IBM's part, we got it going.

We recently installed a Cisco PIX firewall, also using it for VPN. Worked great. I can VPN in from home from the laptop or desktop via the Cisco VPN Client and can see the LAN, etc, etc, etc. But at that point the UC quit working. That was because IBM did not yet have the ability to do a direct connect through a firewall.

Now they do. The Router Guy came in, redirected a couple ports per IBM instructions, and lo and behold, the UC now works. And immediately, I could no longer connect via the VPN Client.

What is happening is one of the redirected ports is IPSEC. The PIX is waiting for that piece of the transaction, but it has already forwarded it to the iSeries, so it never completes the VPN connection. (As I understand it. I know only enough to be dangerous in this area.)

I called Rochester and talked to Shawn. He indicated there would probably be no Knowledge Base Docs as this is too new (Oh thanks. <g>) He offered 2 suggestions for the PIX config: 1) Treat incoming and outgoing differently as the UC connections originate in the iSeries while VPN Client connections originate from outside, or 2) redirect those ports mentioned earlier to the iSeries _only_ if the incoming traffic is from IBM Boulder. He thought option 2 was better.

I'm posting this because the Router Guy costs $125/hr in 15-minute increments and I'd like to have something to suggest to him before he starts. <g> Anybody already done this?

Thanks.

-- Larry Bolhuis IBM eServer Certified Systems Expert: Vice President iSeries Technical Solutions V5R2 Arbor Solutions, Inc. iSeries LPAR Technical Solutions V5R2 1345 Monroe NW Suite 259 iSeries Linux Technical Solutions V5R2 Grand Rapids, MI 49505 iSeries Windows Integration Technical Solutions V5R2 IBM eServer Certified Systems Specialist (616) 451-2500 iSeries System Administrator for OS/400 V5R2 (616) 451-2571 - Fax AS/40 RPG IV Developer (616) 260-4746 - Cell iSeries System Command Operations V5R2 (And Cisco guy!)