If the Vax does telnet then the easiest thing to do would be to run protocol translation at the near end (on the 5300s). You'll need Enterprise, but it's about 2 lines of config. Deal with the rest as you would deal with telnet - easy.
Another option you may not have thought of is to bridge the LAT through the IP cloud using a GRE tunnel between the 5300s and the 2500 that is on the same Ethernet as the VMS box. That doesn't need any fancy IOS, and the PIX can deal with GRE. That will probably suck quite a bit to configure and LAT isn't the most delay sensitive protocol, so you want your point-to-point link to be quick. It does have the advantage that you don't need to worry about the 64-100 session limit per LAT protocol translation box.
You will only need to do protocol translation at one end, if the VAX supports telnet.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-----Original Message-----
From: Ben Keepper [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 27, 2001 10:59 AM
To: [EMAIL PROTECTED]
Subject: Getting LAT through PIXs
I think this is a tough one.
Client currently has a large number of users dialing in to a bank of Cisco AS5300s. They are accessing a VMS application via LAT. The VMS server is local (on the other side of a switch) right now. Obviously LAT is currently enabled on the 5300s.
Desired option: - migrate this bank of 5300s into a DMZ of a pair HA PIXs (running 6.0). To connect to the VMS server from this desired location, traffic would go from the DMZ subnet to a lower security interface (note: not Ethernet0), to a Cisco 2524 across a point-to-point link to another Cisco 2524, to that same switch and hit the VMS server.
The PIX can't route LAT, so CAN the AS5300s translate LAT to TCP (Telnet) to get to the VMS box (note: the VMS box does have IP bound to it and does support telnet).
The Cisco documentation on this is very confusing, ergo if the 5300s can do this, do we need the Enterprise version of the software.
Option two: Stick the 5300s in the same subnet as the 2524 router and do protocol translation across the point-to-point links. The problem is (I think) you need the Enterprise feature set of the IOS software for both routers ($1400 per)
I am missing something here. (And the need for LAT goes away in four months, but is mandatory now).
Here is a confusing Cisco doc on this:
http://noc.relcom.eu.net:8081/cdrom/data/doc/software/11_2/cas/3clat.htm
Comments,
TIA
Ben
