In the past 24 hours I've received quite a load of very good information on the topic, which is going to take some time to digest. Most folks suggest that all we need to do open ports 6000 to 6004 to let X traffic pass. Others suggest it is a little more complex because we are using NAT. I also received a URL to the online manual for PIX from Daniel Monjar [dmonjar_at_orgtek.com]:
(
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v44/pix44cfg)
There were lots of interesting ideas suggested and Ive included snippets of them here. Thanks to the following for their help:
Lawrence Decker [ldecker_at_pbchcd.state.fl.us] :
who supplied a listing of his PIX config. In the interest of brevity Im not including it.
Daniel Monjar [dmonjar_at_orgtek.com]:
to make the pc talk to the x client securely they can establish a
conduit on the pix between the pc and the client. This opens a "pipe"
between the two machines. To do this a couple of things have to happen.
1. the internal machine (pc) has to have a ip on the outside. this is
done with the static command.
If the pc is at 1.1.1.1 and the external network is in the 2.2.2.0 net
you can make the pc appear on the outside at address 2.2.2.1 with the
command
static (inside,outside) 2.2.2.1 1.1.1.1 netmask 255.255.255.255
2. now you have to "make a hole" in the firewall. Do this with a
conduit. To let the dec machine, at 2.2.2.2, talk with the internal pc
do this:
conduit permit tcp host 2.2.2.1 eq any 2.2.2.2
this says let the machine at 2.2.2.2 talk using the tcp protocol to any
port on 2.2.2.1
tcp can be udp... any can be the port number.
rich [raf_at_ezunx.com]:
... it is trivial. Just like any other firewall all that is needed is to open ports for -- 6000-6004 should do it for you.
Thomas Ozanich [thomas.ozanich_at_alstom.esca.com]:
You need to set up a conduit on ports 6000 6001 for the systems you need to
throw a window back from.
Michael Warchut [mikew_at_alibris.com]:
you will need your sysadmin to assign a static IP to the workstation.. then
the they will need to then assign a static ip in the firewall mapped to the
internal address.. the last step is to build a conduit in the firewall to
allow access back to the management machine from the 4100.
The only other thing I can think of is that Exceed may be passing over your
NAT address instead of your XLATE address to the server, so when it tries to
connect to the server the server is trying to open DISPLAY to the NAT
address and not the pool address.. they can tell you your pool address by
doing a 'show xlate' and finding your internal ip number..
Ron Parker [rparker_at_brazosport.cc.tx.us]:
...If nothing else they should be able to set up a test where you try to contact the servers via X and they then look at their logs to see what is happening to prevent you.
In defense of the networking guys, inbound X-Windows is routinely filtered at firewalls due to myriad known security issues. However, since these machines are already outside your firewall they are unprotected anyway.
trey_at_anvils.org
X is something like 6000 plus your display number. (I think). So
host:0 == 6000
host:10 == 6010
However, I'd make a different suggestion. If you don't need the full CDE
desktop but only X apps, you could use ssh and forward your X11 packets.
I'm cursed with having to also use a windows box so i have SecureCRT
from www.vandyke.com (about $90) and tunnel all my X11 packets back to
my desktop. The ssh daemon on the Alpha sets up a listener and handles
the display environment for me. I have Exceed runnig in passive mode
with multiple windows and just let the windows pop up.
John Voss [J.Voss_at_cqu.edu.au]
All you should have to do is set up a conduit for the X traffic (6000-6002) back
from your servers that are outside the firewall. You'll need to replace the
IP addresses with those that are applicable.
conduit permit tcp any range 6000 6002 172.10.4.0 255.255.255.0
conduit permit tcp any range 6000 6002 host 192.168.1.1
----------------------------------------------------------------------------
And my original query:
> Our network guys recently replaced our old firewall, which ran
> Firewall1, with a new Cisco PIX firewall. In doing so they have cut
> off our ability to run any of the X based products that we have on our
> dec boxes on the other side of the firewall. We have out webservers
> out there and we still need to manage them from the PC's on our desks
> using Exceed. The only way we can connect to them is with telnet which
> is highly undesirable since we use all of the dx tools and xwindows to
> connect to our machines.
>
> When I complain they tell me that they don't know how to fix it, or
> that PIX cant pass that kind of traffic. This I find hard to believe.
> Everything worked fine on the old firewall.
>
> So, can anyone please help me explain to them what it is we need set
> to make all of this work again?
>
> Thanks
> John Hergert
> Volkswagen of America
>
Received on Fri Dec 10 1999 - 16:25:00 NZDT