Error with ODBC and Firewall

[melchorm]

Hello to all those of the forum, I have a problem with the FIREWALL, the same one has to control an application client/server that an AS/400 uses, it is connected by means of ODBC, when I revise the logs of the FIREWALL it not even detects that this controllers exist (ODBC), please I need a hand to solve this problem.

Thank you and greetings

Melchor

 

[Piloria]

your question is not very clear.
from what i understand you have a firewall an application server and an AS400
The Application server comunicates to the AS400 Via ODBC but this is not appearing in the logs.

 

[melchorm]

That's right, it is this way, please I need help to solve this problem.

 

[rn4it]

What is the rule that you are using? Is it ie webserver to AS400 use (ODBC) accept log? Can you double check that you are logging the rule? If so how are you filtering?

 

[Piloria]

have you checked your routing?
try a traceroute from the apps server and check it is going via the firewall to the as400.
what ip address is the app server resolving the AS400 to (is it the actual ip or is it NATed)

 

[melchorm]

Well, when making the tests we find that the AS400 uses several ports the 449, and of the 8770 at the 8780.
When one works with the AS400 in native way the firewall it detects and it controls people that try to consent to it, but when a controller ODBC the firewall is used it no longer makes anything.
The server AS400 is only for the databases. We put it in a DMZ and we make NAT to the same one from the internal net to the net DMZ, from the serverAS400 cannot make ping to the internal net. I will treat with the traceroute to see that it is what is happening.

 

[Piloria]

i am having fun with AS400's in DMZ's at the moment so i know about the ports.
what version of FW-1 are you using? as there are some changes between FP3 and NG&AI R54 that affect AS400 ping packet sizes (in FP3 they wont get through but in R54> they do-can be fixed)
also are you wanting the firewall to do NAT between the DMZ's or just from the DMZ to the external network?

try your traceroute and see which ip address it is using for the AS400 (Actual or NATed)

 

[melchorm]

I use the version NG&AI R54 of the Firewall, the DMZ uses it internally (to assure that there not is not access authorized the AS400), for the time being I cannot make the test with the traceroute because there are using the server for other tasks, when the AS400 this free one will tell you the results thank you.

 

[rn4it]

You can see if the AS400 is being NAT'd in the logfile. Open the CP tracker, view=>query properties, and in the upper right window scroll down unitl you see Xlatesrc and Xlatedst and Nat rule, these are most likely unchecked just check them and do a filter on connections between the web server and the AS400 and you'll see if it's being NAT'd.