NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Securemote to "non-internal" addresses not routing prop erly



Maybe I didn't explain myself too well.  I can't see from your reply if you've checked any of the routes on your mainframe.  Can you ping the mainframe from the webserver?  If not, the issue is there, rather than with the firewall.  IP routing is a two-way street - the packet has to know how to get back, too.  Also, unless you're using IP Pool NAT, SR connections into the internal network do not "initiate" from the internal firewall interface.  The client's packets run around on your internal network with their ISP-assigned, external IP address.  More to chew on...
 

Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc. (formerly employeesavings.com)

The work/life solution for corporate thought leaders

-----Original Message-----
From: Mark Whitworth [mailto:[email protected]]
Sent: Monday, September 11, 2000 4:13 PM
To: 'Dan Hitchcock'; [email protected]
Subject: RE: [FW1] Securemote to "non-internal" addresses not routing prop erly

Thanks for the response, Dan.  The web server makes the connection to the mainframe, and the client connects to the web server via a browser.  The routes to the mainframe exist at the web server, and even with the default gateway of the web server pointing back to the firewall (to account for any ISP issues, which I don't think would be a problem due to SR "initiating" from the internal firewall interface), the connection fails and a traceroute won't complete.  Any other ideas are appreciated!
 
Mark
-----Original Message-----
From: Dan Hitchcock [mailto:[email protected]]
Sent: Monday, September 11, 2000 2:08 PM
To: 'Mark Whitworth'; [email protected]
Subject: RE: [FW1] Securemote to "non-internal" addresses not routing prop erly

Mark, I'm not sure from your message what the exact function of the web server is.  Is the connection to your 3270 device a TCP session between the webserver and the 3270, or the end-user and the 3270?  If it is from the client, you might want to verify that the 3270 device has a return path (i.e. default gateway) to get the packets back out to the SR client.  In other words, your SR client may have some arbitrary address like 63.44.44.44 assigned by its ISP, and the 3270 must be able to route that address back to the firewall performing the encryption, or no go.
 
That's my initial thought.  Please post with further details if that isn't the issue.  Good luck!
 
Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc. (formerly employeesavings.com)

The work/life solution for corporate thought leaders
-----Original Message-----
From: Mark Whitworth [mailto:[email protected]]
Sent: Monday, September 11, 2000 9:10 AM
To: [email protected]
Subject: [FW1] Securemote to "non-internal" addresses not routing properly

We have been successfully using SR for almost 6 months now, but I have run into a new problem. My remote users are trying to access an internal web server which acts as a web to host mediator to an offsite mainframe. My web server is in the 172.16.x.x range of addresses, and it that is included in my encryption domain. Connecting to it works fine. However, when it tries to serve the 3270e session from the mainframe (which has an IP in the 170.115.x.x net) it fails to connect, and I can't telnet to the port on that server, either. It is obviously a routing issue, but I've even added the 170 address as an object to my encryption domain and still no-go. When I try to traceroute to the 170 address, it locks up the clients if SR is running. I can see the packets being accepted and decrypted at the firewall. TIA for any help.

Mark

P.S. Please post to the group or my other account, [email protected]. I appreciate the consideration. I have suddenly been unable to post from that account after 2 years without problems. Thanks.



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.