Re: LAN Configuration - Questions and an issue

This looks like one of those choices between 'could' and 'should'. If that
Windows server running on the IXS card is truly acting as the firewall
between the i5 and the internet, it probably shouldn't be bypassed just to
maintain connectivity. Sure, you may keep connectivity working from the
outside to the inside for those times when the IXS drops (excuse me
there... if WINDOWS running on the IXS drops... IXSs are pretty darn
stable), but your i5 is going to be connected to the net without being
behind a firewall? You may end up with some more serious issues there than
what you are trying to fix... I wouldn't want to be explaining/defending
that setup if some type of attack or breach occurred. I think this is the
time to spend a few bucks setting a separate firewall up.

I love IXS setups, but the common drawback i've tended to see with using
them has to do with dependencies of what pieces of the puzzle are up at any
given time. This sounds like one of those times where the IXS isn't the
right choice to host a firewall that's protecting the i5 itself. Tough
situation!





Pat Barber
<mboceanside@worl
dnet.att.net> To
Sent by: Midrange Systems Technical
midrange-l-bounce Discussion
s@xxxxxxxxxxxx <midrange-l@xxxxxxxxxxxx>
cc

02/29/2008 02:43 Subject
PM Re: LAN Configuration - Questions
and an issue

Please respond to
Midrange Systems
Technical
Discussion
<midrange-l@midra
nge.com>






This has a few hints and suggestions about a similar issue:

http://www-912.ibm.com/s_dir/slkbase.nsf/1ac66549a21402188625680b0002037e/6df081e85b81766c86257251005501a7?OpenDocument&Highlight=2,CONFIGURE,TWO,ETHERNET,LINES


Somewhere in the "knowledge base" is a detailed instructions on using
the second ethernet line.
As always, I can't find again but I remember reading and printing out
the instructions.

Pete Helgren wrote:

I have a customer that has an IXS running SBS 2003 that provides
firewall (and other) services to the internal network. This guy is
multi-homed (naturally) with a single external NIC and an internal NIC.
ISA 2004 manages proxy and firewalling. They have an i5 520 (power 5+)
running V5R4M0.

This works well but having a Windows machine between me and the internal
network is problematic since if it goes down (and it does go down) I
have no access to the internal network and therefore cannot get to the
System i to restart the IXS. So, we added more external IP's by
expanding the subnet and now I have 5 IP addresses I can assign to
various NIC's so I can externally manage the System i. So far so good.

My idea was to assign one external IP to an unused Ethernet port (T5 on
the back of the 520). They currently use T6 as the NIC for internal
access to the System i.

So, a couple of questions:

1. How should I best configure *this* Ethernet port so that it is locked
down for only Telnet SSL? It will have an external IP so I do want to
lock it down. Currently we have secure telnet running internally and
externally (through port mapping in ISA2004 using the T6 Ethernet port).
2. Is there an alternate method for accessing the 520 externally that
would be more secure? They would need to be ports that I can assign
"externally" to bypass the ISA 2004 firewall.

The problem:

Based on what I see in WRKHDWRSC *CMN and looking in SST, it appears
that the communications line resource is CMN19 (T6 is CMN20 which seem
to confirm that I have the correct resource). When I create an Ethernet
line using this resource and vary it on I get:

Message . . . . : Line ETHLINEBAK vary on
failed.

Cause . . . . . : The resource is already in use by object type . If
the
object name and type are blanks, either the resource is in use by
the
Dedicated Service Tools (DST), another client, or the data is not
available.
Recovery . . . : Do one of the
following:
--Vary off the object using the resource with the Vary
Configuration
(VRYCFG)
command.
--Use the active line instead of line ETHLINEBAK, if this is a
switched
connection or a local area network connection. This can be done by
changing
the controller description for the remote system to include the active
line
in its SWTLINLST parameter.

As far as I can see, the resource in NOT is use by another line so I can
only assume that I am using the wrong resource. WRKHDWRSC shows this
for CMN19:

Resource name . . . . . . . : CMN19
Text . . . . . . . . . . . . : Ethernet Port
Type-model . . . . . . . . . : 5706-001
Serial number . . . . . . . : 00-53967EA
Part number . . . . . . . . : 39J4251

Location: U787F.001.DPM09V2-P1-T5

Logical address:
PCI bus:
System bus 4
System board 0
System card 36


Any ideas as to why I get an error on varying on the line ?

Thanks,

Pete Helgren

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_____________________________________________________________________________

Scanned by IBM Email Security Management Services powered by MessageLabs.
For more information please visit http://www.ers.ibm.com
_____________________________________________________________________________