Re: Cisco PIX Novell [7:51303]
Here it is. We have a Cisco PIX 525. The Novell 4.83 user/client is behind the firewall. The Novell Netware 5.1 server is outside the firewall. What do I need to do to make the client be able to sign into the server? We have it configured so that anyone in the inside can do any ip to the outside? The Netware client is set to use IP as the preferred method. Looking at the syslog what happens is the client connects to the directory agent server which directs another server to communicate with the client. Is there a way of telling the client to authenticate to a specific server. Thank you. At 11:34 PM 8/13/2002 +, Priscilla Oppenheimer wrote: Not junk at all. :-) I think it's impressive that Novell continues to innovate. Comments below: Don Queen wrote: What version of Netware are you running on the server? If it 5 or 6, it's native IP, so basically you're sending IP traffic out of the Pix, which should work. It sound as if your problem may be with the packet actually coming back into the Pix. Do you have any rules that may be preventing the server from responding back to the client? Here is the information from Novell's website listing the port that Novell uses TCP and UDP are both used by NetWare 5.1 and NetWare 6.0 for Pure IP connectivity. The following ports are used for communication. TCP 524 - NCP Requests - Source port will be a high port (1024-65535) UDP 524 - NCP for time synchronization - Source port will be a high port UDP 123 - NTP for time synchronization - Source port will be the same UDP 427 - SLP Requests - Source port will be the same (427) TCP 427 - SLP Requests - Source port will be the same (427) TCP 2302 - CMD - Source port will be a high port UDP 2645 - CMD - Source port will be the same (2645) I thought I would add to this the decoding of the acronyms: NCP sort of obviously NetWare Core Protocol, the classic client/server protocol that Novell has used for almost 20 years. SLP is for Service Location Protocol, a protocol for finding services that may catch on, although admittedly it is mostly Novell and Apple making a big deal of it. RFC 2608 defines the current version of SLP, version 2. I think I read somewhere that Novell uses the older version. It's defined int RFC 2165. They use different multicast addresses which could be an issue. CMD is the Novell Compatibility Mode Protocol. I knew it used UDP port 2645. I hadn't heard of it using TCP port 2302. Note that all of these ports might not be necessary for every implementation. The original poster needs to tell us what his problem is, if anything. Maybe he was just getting info. Priscilla Not bad for junk as you call it. - Original Message - From: Brian Zeitz To: Sent: Tuesday, August 13, 2002 2:02 PM Subject: RE: Cisco PIX Novell [7:51303] Usually people set up a web interfaces for this. I don't really know the Novell Junk, but I would start by upgrading the client to Novell 6, if you even want to attempt VPN, if that's what you are trying to do. If the server is on the DMZ, you want cut though proxy (probably doesn't work with Novell). If you server is on the internet, you don't want to transmit your passwords over the internet in clear text so you need VPN. Save yourself a lot of headaches and trouble and switch to Microsoft or Unix. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Cisco PIX Novell [7:51303] We have a Cisco PIX 525. The Novell 5.1 user/client is behind the firewall. The server is outside the firewall. What do I need to do make the client be able to sign into the server? We have it configured so that anyone in the inside can do any ip to the outside? The Netware client is set to use IP as the preferred method. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51355t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco PIX Novell [7:51303]
That was my point exactly. Novell continues to improve there products to work with any OS...Microsoft, Apple, Unix, Linux and PDAs. Granted they were behind on the Internet front, but they've may great strives to catch up and make there products Internet ready out of the box. Donald R. Queen CCNP,CCA,MCSE,CNE5 Baker Robbins Company Technology Consultants Knowledge, Solutions, Partnership - Original Message - From: Priscilla Oppenheimer To: Sent: Tuesday, August 13, 2002 6:34 PM Subject: Re: Cisco PIX Novell [7:51303] Not junk at all. :-) I think it's impressive that Novell continues to innovate. Comments below: Don Queen wrote: What version of Netware are you running on the server? If it 5 or 6, it's native IP, so basically you're sending IP traffic out of the Pix, which should work. It sound as if your problem may be with the packet actually coming back into the Pix. Do you have any rules that may be preventing the server from responding back to the client? Here is the information from Novell's website listing the port that Novell uses TCP and UDP are both used by NetWare 5.1 and NetWare 6.0 for Pure IP connectivity. The following ports are used for communication. TCP 524 - NCP Requests - Source port will be a high port (1024-65535) UDP 524 - NCP for time synchronization - Source port will be a high port UDP 123 - NTP for time synchronization - Source port will be the same UDP 427 - SLP Requests - Source port will be the same (427) TCP 427 - SLP Requests - Source port will be the same (427) TCP 2302 - CMD - Source port will be a high port UDP 2645 - CMD - Source port will be the same (2645) I thought I would add to this the decoding of the acronyms: NCP sort of obviously NetWare Core Protocol, the classic client/server protocol that Novell has used for almost 20 years. SLP is for Service Location Protocol, a protocol for finding services that may catch on, although admittedly it is mostly Novell and Apple making a big deal of it. RFC 2608 defines the current version of SLP, version 2. I think I read somewhere that Novell uses the older version. It's defined int RFC 2165. They use different multicast addresses which could be an issue. CMD is the Novell Compatibility Mode Protocol. I knew it used UDP port 2645. I hadn't heard of it using TCP port 2302. Note that all of these ports might not be necessary for every implementation. The original poster needs to tell us what his problem is, if anything. Maybe he was just getting info. Priscilla Not bad for junk as you call it. - Original Message - From: Brian Zeitz To: Sent: Tuesday, August 13, 2002 2:02 PM Subject: RE: Cisco PIX Novell [7:51303] Usually people set up a web interfaces for this. I don't really know the Novell Junk, but I would start by upgrading the client to Novell 6, if you even want to attempt VPN, if that's what you are trying to do. If the server is on the DMZ, you want cut though proxy (probably doesn't work with Novell). If you server is on the internet, you don't want to transmit your passwords over the internet in clear text so you need VPN. Save yourself a lot of headaches and trouble and switch to Microsoft or Unix. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Cisco PIX Novell [7:51303] We have a Cisco PIX 525. The Novell 5.1 user/client is behind the firewall. The server is outside the firewall. What do I need to do make the client be able to sign into the server? We have it configured so that anyone in the inside can do any ip to the outside? The Netware client is set to use IP as the preferred method. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51360t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Novell [7:51303]
He may need to encapsulate the IPX into TCP/IP. Cisco only supports IP on the VPN3000 concentrator. Maybe a good test question for us taking the CSS1 exams. The VPN 5000 will support IPX. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51365t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Novell [7:51303]
Brian Zeitz wrote: He may need to encapsulate the IPX into TCP/IP. Cisco only supports IP on the VPN3000 concentrator. Maybe a good test question for us taking the CSS1 exams. The VPN 5000 will support IPX. It might be a good design question to see if the test-taker can analyze user requirements. He didn't say anything about having a VPN concentrator. In fact, he's not trying to do a VPN, I don't think. He's just trying to get ordinary client/server traffic to work through the PIX 525. Also, he's using IP, not IPX. On the other hand, I have to somewhat agree with some of your other message about NetWare being overly complex and requiring too much tinkering to get it working. I tried to find an answer to the actual question on the Novell Web site and the servers were excruciatingly slow to start with and there was nothing useful on the particular question (of getting NetWare client to talk to NetWare 5.1 server with IP as the preferred method across a PIX firewall). The original poster said that the client talks to a Directory Agent (DA) first. This implies that Service Location Protocol (SLP) is in use, but that multicasts are not required for finding services. A DA minimizes the requirement for multicasts. SLP user and service agents can find the DA via multicast, (if they don't hear from it first), but once they do find the DA, they can send unicasts directly to the DA. It sounds like the client is finding the DA fine and the DA is giving the client a server to use, but then the failure occurs. Is there a way for him to avoid SLP and specify the actual server? Can't he just do this with an IP address (or name assuming DNS is working?) I noticed that Chuck Church is back. (Yeah!) Maybe he can help? :-) Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51375t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Novell [7:51303]
We have done some testing through this same concentrator. If you do not have SLP implemented on your NW5.x environment, you need to put the IP address of your logon server in the preferred server filed of the client. Your client need to be set up for IP/IPX or just IP for this to work. IP only works faster. We were able to successfully logon, access files, and print through the concentrator. Hope this helps! Chris Dumais, CCNP, CNA Sr. Network Administrator NSS Customer and Desktop Services Team Maine Medical Center (207)871-6940 [EMAIL PROTECTED] Priscilla Oppenheimer 8/14/02 1:37:17 PM Brian Zeitz wrote: He may need to encapsulate the IPX into TCP/IP. Cisco only supports IP on the VPN3000 concentrator. Maybe a good test question for us taking the CSS1 exams. The VPN 5000 will support IPX. It might be a good design question to see if the test-taker can analyze user requirements. He didn't say anything about having a VPN concentrator. In fact, he's not trying to do a VPN, I don't think. He's just trying to get ordinary client/server traffic to work through the PIX 525. Also, he's using IP, not IPX. On the other hand, I have to somewhat agree with some of your other message about NetWare being overly complex and requiring too much tinkering to get it working. I tried to find an answer to the actual question on the Novell Web site and the servers were excruciatingly slow to start with and there was nothing useful on the particular question (of getting NetWare client to talk to NetWare 5.1 server with IP as the preferred method across a PIX firewall). The original poster said that the client talks to a Directory Agent (DA) first. This implies that Service Location Protocol (SLP) is in use, but that multicasts are not required for finding services. A DA minimizes the requirement for multicasts. SLP user and service agents can find the DA via multicast, (if they don't hear from it first), but once they do find the DA, they can send unicasts directly to the DA. It sounds like the client is finding the DA fine and the DA is giving the client a server to use, but then the failure occurs. Is there a way for him to avoid SLP and specify the actual server? Can't he just do this with an IP address (or name assuming DNS is working?) I noticed that Chuck Church is back. (Yeah!) Maybe he can help? :-) Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51379t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Novell [7:51303]
My point about the VPN concentrator was in a different email. I was mentioning the VPN concentrator for those taking the CSVPN test for the CSS1. Maybe I should have changed the heading, to make it politically correct. I am sure people going for the VPN test will appreciate this if they see it on their exam. I was trying to get this conversation back on what we are all here for, Cisco related products. Your point about analyzing user requirements is mute. There was not enough detail to perform an evaluation. That would be the answer to this question. I was just taking a shot in the dark, just like everyone else. This would be a bad example to see if someone could analyze network requirements. If it was a credible question, this would apply. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 14, 2002 1:37 PM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX Novell [7:51303] Brian Zeitz wrote: He may need to encapsulate the IPX into TCP/IP. Cisco only supports IP on the VPN3000 concentrator. Maybe a good test question for us taking the CSS1 exams. The VPN 5000 will support IPX. It might be a good design question to see if the test-taker can analyze user requirements. He didn't say anything about having a VPN concentrator. In fact, he's not trying to do a VPN, I don't think. He's just trying to get ordinary client/server traffic to work through the PIX 525. Also, he's using IP, not IPX. On the other hand, I have to somewhat agree with some of your other message about NetWare being overly complex and requiring too much tinkering to get it working. I tried to find an answer to the actual question on the Novell Web site and the servers were excruciatingly slow to start with and there was nothing useful on the particular question (of getting NetWare client to talk to NetWare 5.1 server with IP as the preferred method across a PIX firewall). The original poster said that the client talks to a Directory Agent (DA) first. This implies that Service Location Protocol (SLP) is in use, but that multicasts are not required for finding services. A DA minimizes the requirement for multicasts. SLP user and service agents can find the DA via multicast, (if they don't hear from it first), but once they do find the DA, they can send unicasts directly to the DA. It sounds like the client is finding the DA fine and the DA is giving the client a server to use, but then the failure occurs. Is there a way for him to avoid SLP and specify the actual server? Can't he just do this with an IP address (or name assuming DNS is working?) I noticed that Chuck Church is back. (Yeah!) Maybe he can help? :-) Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51383t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Novell [7:51303]
John, I would first try looking at the logs on the PIX (look for denied traffic from, or to devices in question), and also run debugs on both inside and outside interfaces to see if the packets are making it to the PIX, and source and destination ports and addresses. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51311t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Novell [7:51303]
Usually people set up a web interfaces for this. I don't really know the Novell Junk, but I would start by upgrading the client to Novell 6, if you even want to attempt VPN, if that's what you are trying to do. If the server is on the DMZ, you want cut though proxy (probably doesn't work with Novell). If you server is on the internet, you don't want to transmit your passwords over the internet in clear text so you need VPN. Save yourself a lot of headaches and trouble and switch to Microsoft or Unix. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Cisco PIX Novell [7:51303] We have a Cisco PIX 525. The Novell 5.1 user/client is behind the firewall. The server is outside the firewall. What do I need to do make the client be able to sign into the server? We have it configured so that anyone in the inside can do any ip to the outside? The Netware client is set to use IP as the preferred method. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51312t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco PIX Novell [7:51303]
What version of Netware are you running on the server? If it 5 or 6, it's native IP, so basically you're sending IP traffic out of the Pix, which should work. It sound as if your problem may be with the packet actually coming back into the Pix. Do you have any rules that may be preventing the server from responding back to the client? Here is the information from Novell's website listing the port that Novell uses TCP and UDP are both used by NetWare 5.1 and NetWare 6.0 for Pure IP connectivity. The following ports are used for communication. TCP 524 - NCP Requests - Source port will be a high port (1024-65535) UDP 524 - NCP for time synchronization - Source port will be a high port UDP 123 - NTP for time synchronization - Source port will be the same UDP 427 - SLP Requests - Source port will be the same (427) TCP 427 - SLP Requests - Source port will be the same (427) TCP 2302 - CMD - Source port will be a high port UDP 2645 - CMD - Source port will be the same (2645) Not bad for junk as you call it. - Original Message - From: Brian Zeitz To: Sent: Tuesday, August 13, 2002 2:02 PM Subject: RE: Cisco PIX Novell [7:51303] Usually people set up a web interfaces for this. I don't really know the Novell Junk, but I would start by upgrading the client to Novell 6, if you even want to attempt VPN, if that's what you are trying to do. If the server is on the DMZ, you want cut though proxy (probably doesn't work with Novell). If you server is on the internet, you don't want to transmit your passwords over the internet in clear text so you need VPN. Save yourself a lot of headaches and trouble and switch to Microsoft or Unix. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Cisco PIX Novell [7:51303] We have a Cisco PIX 525. The Novell 5.1 user/client is behind the firewall. The server is outside the firewall. What do I need to do make the client be able to sign into the server? We have it configured so that anyone in the inside can do any ip to the outside? The Netware client is set to use IP as the preferred method. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51325t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco PIX Novell [7:51303]
Not junk at all. :-) I think it's impressive that Novell continues to innovate. Comments below: Don Queen wrote: What version of Netware are you running on the server? If it 5 or 6, it's native IP, so basically you're sending IP traffic out of the Pix, which should work. It sound as if your problem may be with the packet actually coming back into the Pix. Do you have any rules that may be preventing the server from responding back to the client? Here is the information from Novell's website listing the port that Novell uses TCP and UDP are both used by NetWare 5.1 and NetWare 6.0 for Pure IP connectivity. The following ports are used for communication. TCP 524 - NCP Requests - Source port will be a high port (1024-65535) UDP 524 - NCP for time synchronization - Source port will be a high port UDP 123 - NTP for time synchronization - Source port will be the same UDP 427 - SLP Requests - Source port will be the same (427) TCP 427 - SLP Requests - Source port will be the same (427) TCP 2302 - CMD - Source port will be a high port UDP 2645 - CMD - Source port will be the same (2645) I thought I would add to this the decoding of the acronyms: NCP sort of obviously NetWare Core Protocol, the classic client/server protocol that Novell has used for almost 20 years. SLP is for Service Location Protocol, a protocol for finding services that may catch on, although admittedly it is mostly Novell and Apple making a big deal of it. RFC 2608 defines the current version of SLP, version 2. I think I read somewhere that Novell uses the older version. It's defined int RFC 2165. They use different multicast addresses which could be an issue. CMD is the Novell Compatibility Mode Protocol. I knew it used UDP port 2645. I hadn't heard of it using TCP port 2302. Note that all of these ports might not be necessary for every implementation. The original poster needs to tell us what his problem is, if anything. Maybe he was just getting info. Priscilla Not bad for junk as you call it. - Original Message - From: Brian Zeitz To: Sent: Tuesday, August 13, 2002 2:02 PM Subject: RE: Cisco PIX Novell [7:51303] Usually people set up a web interfaces for this. I don't really know the Novell Junk, but I would start by upgrading the client to Novell 6, if you even want to attempt VPN, if that's what you are trying to do. If the server is on the DMZ, you want cut though proxy (probably doesn't work with Novell). If you server is on the internet, you don't want to transmit your passwords over the internet in clear text so you need VPN. Save yourself a lot of headaches and trouble and switch to Microsoft or Unix. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 1:24 PM To: [EMAIL PROTECTED] Subject: Cisco PIX Novell [7:51303] We have a Cisco PIX 525. The Novell 5.1 user/client is behind the firewall. The server is outside the firewall. What do I need to do make the client be able to sign into the server? We have it configured so that anyone in the inside can do any ip to the outside? The Netware client is set to use IP as the preferred method. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51331t=51303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]