Hi list. Felix is right on this. Enabling IP-passthrough does not necessarily mean that the pass through filters should be wide open in both directons. It is not so much an open/closed issue, as it is a nat/no-nat issue:
When running nat, you see the annoying behaviour where the first connection is reset when a new one is being made. I believe this is due to NetBios' way of handling multiple connections from the same source IP address, that is not easy to use with NAT. When using IP pass through, the server sees the clients original IP adress(es), so if multiple clients are connecting, everything still works. I have done this in a couple of setups as well, and i know we could easyli start the old flamewar of ip-passthrough vs. nat, but this is a sound solution to an annoying issue. The option if NAT is a requirement could be static mappings, so every client IP on PRI has a static alias on the DMZ interface, but i don't think that is very elegant. Regards Arne -----Oprindelig meddelelse----- Fra: Felix Nielsen [mailto:[EMAIL PROTECTED] Sendt: 4. august 2003 22:45 Til: GnatBox Users Group Emne: RE: [gb-users] Communication glitches PSN<>PRI As default only connections from PRI to PSN(DMZ) is allowed, U need to enable tunnels if access is permitted from PSN to PRO - so if DMZ is hacked, no access to PRI should be possible. Felix -----Original Message----- From: David Morris [mailto:[EMAIL PROTECTED] Sent: 4. august 2003 16:36 Cc: GnatBox Users Group Subject: RE: [gb-users] Communication glitches PSN<>PRI Perhaps I'm missing something, but that looks like an unrestricted connection between PRI & PSN. If so, what is the point of setting up a DMZ? Any hacked machine in DMZ would have full access to PRI. Dave Morris On Mon, 4 Aug 2003, Felix Nielsen wrote: > Enableling "IP Pass Through Filters" will eliminate "lost connection" > and problems when coping large files to/from the PSN. > > We had the same problem before we used "IP Pass Through", and it could > be tested quite easy. One workstation started copying a big file to > the PSN, another workstation did the same after a while, and then the > first workstation lost the connection. > > Config: > > IP Pass through -> Hosts/Newtworks : > > Object/Adress = ANY_PRI > Destination = PSN > Inbound = Yes > > > IP Pass through -> Filters : > > Interface = PRI > Protocol = <all> > Type = Accept > Source = ANY_PRI > Destination = ANY_PSN > > > Hope it helps :) > > Felix Nielsen > Denmark > > > -----Original Message----- > > From: Christopher A. Congdon [mailto:[EMAIL PROTECTED] > > Sent: 1. august 2003 17:29 > > To: [EMAIL PROTECTED] > > Subject: [gb-users] Communication glitches PSN<>PRI > > > > > > The way our current network is setup, all of our servers are in the > > PSN, and the only things on PRI are the workstations. The reason for > > this setup is that we are a web hosting & web design company. All > > the servers > > that we have up have public services on them. > > > > However, this appears to be causing us some headaches... > > > > Lag in communications - There's a workstation that uses our Exchange > > server, and the delay in opening messages makes it feel like the box > > is on the 'Net instead of a LAN > > > > Delayed write failures - I can't work on databases if I leave them > > on the server. I have to either open them Read-Only to look at the > > data only or copy them to my workstation if I want to edit them. > > > > Lost connections - Constantly having to re-enter passwords for > > network shares. I also have a couple of workstations out on our > > frame-relay WAN (which is anchored in the PRI)... These workstations > > can't copy large files from the server. After getting about a third > > of the way through, they get notification that the connection has > > been reset. This appears to only happen between PRI/PSN. I can copy > > files between two boxes on the PSN all day long and nothing appears > > to happen. > > > > Thank goodness, about the only service that appears to be unaffected > > is Terminal Server. But because of these problems, I've been > > seriously considering just eliminating the PRI on our network, > > unless maybe, somebody has some suggestions at things I can do to > > clear this up? > > > > > > > > Christopher Congdon > > Network Engineer > > Congdon.WEB > > [EMAIL PROTECTED] > > http://www.congdonweb.com > > 317-920-9601 > > > > ------------------------------------------------------ > > To unsubscribe: [EMAIL PROTECTED] > > For additional commands: [EMAIL PROTECTED] > > Archive: http://www.mail-archive.com/[EMAIL PROTECTED] > > ------------------------------------------------------ > To unsubscribe: [EMAIL PROTECTED] > For additional commands: [EMAIL PROTECTED] > Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED]
