× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2003

RE: IBM Universal Connction & PIX Firewall

It's hard to say without seeing the PIX setup. Once they get into VPN/IPSEC
things can get sort of hairy. 
I'd also offhand recommend option #2. I'm not sure if he can do it with a
static map or with the Established command. 

-----Original Message-----
From: Jeff Crosby [mailto:jlcrosby@xxxxxxxxxxxxxxxx] 
Sent: Tuesday, October 28, 2003 10:21 AM
To: Midrange Mailing List
Subject: IBM Universal Connction & PIX Firewall


I don't know how a little company like ours gets on the bleeding edge of 
_anything_ but here we go again.

We spent many month getting the IBM Universal Connection ("UC") working. 
  Had an open call with Rochester and talked many times to "Shawn" who 
was, and still is, extremely helpful.  The IUC was fairly new, our setup 
wasn't directly addressed, but after some real improvements on IBM's 
part, we got it going.

We recently installed a Cisco PIX firewall, also using it for VPN. 
Worked great.  I can VPN in from home from the laptop or desktop via the 
Cisco VPN Client and can see the LAN, etc, etc, etc.  But at that point 
the UC quit working.  That was because IBM did not yet have the ability 
to do a direct connect through a firewall.

Now they do.  The Router Guy came in, redirected a couple ports per IBM 
instructions, and lo and behold, the UC now works.  And immediately, I 
could no longer connect via the VPN Client.

What is happening is one of the redirected ports is IPSEC.  The PIX is 
waiting for that piece of the transaction, but it has already forwarded 
it to the iSeries, so it never completes the VPN connection.  (As I 
understand it.  I know only enough to be dangerous in this area.)

I called Rochester and talked to Shawn.  He indicated there would 
probably be no Knowledge Base Docs as this is too new (Oh thanks. <g>) 
He offered 2 suggestions for the PIX config:  1) Treat incoming and 
outgoing differently as the UC connections originate in the iSeries 
while VPN Client connections originate from outside, or 2) redirect 
those ports mentioned earlier to the iSeries _only_ if the incoming 
traffic is from IBM Boulder.  He thought option 2 was better.

I'm posting this because the Router Guy costs $125/hr in 15-minute 
increments and I'd like to have something to suggest to him before he 
starts. <g>  Anybody already done this?

Thanks.

-- 
Jeff Crosby
Dilgard Frozen Foods, Inc.
P.O. Box 13369
Ft. Wayne, IN 46868-3369
260-422-7531

The opinions expressed are my own and not necessarily
the opinion of my company.  Unless I say so.



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.