Re: (ASCEND) Pipeline 130 w/ Firewall

To: Chris Lehr <ChrisL@tcginc.com>, ascend-users@bungi.com
Subject: Re: (ASCEND) Pipeline 130 w/ Firewall
From: "Mike Hughes" <mike@dircon.net>
Date: Wed, 21 Oct 1998 17:21:15 +0000
In-reply-to: <803099C30A00D21191F200805F5A54482FC393@TEN_FORWARD>
Priority: normal
Sender: owner-ascend-users@max.bungi.com

On 20 Oct 98, at 15:49, Chris Lehr wrote:

> Hey all..
> 
> If this is a newbie question, flame away  :P
> 
> How do I check versions of the firewall/router and the big bad question:
> 
> Here is my network:
> 
> Internet, connected to the Router (ascend 130 -- 206.24.45.1) via a
> CSU/DSU for MUXing, to a 100MB hub with 3 machines on it, 1 web server,
> one Msproxy, one raptor firewall.  The latter 2 are multihomed, and
> attached to the REAL internal network with is 10.*.*.*
> 
> Now..  here is the problem.  My Exchange box (10.0.0.5) has been having
> issues ever since we installed the Ascend firewall.  It sends using IMC
> just fine to some sites, and not at all to others.  Does anyone know if
> some mail servers double check to see if the mail server on the net
> exists first?  Basically, the Exchange Server reroutes throught the IMC
> using mail.tcginc.com (206.24.45.56) -- now if some mail servers double
> check (or try to) by using ping or traceroute to that IP or name, they
> get nada, nothing, etc.

OK, the remote end is probably not trying to ping or traceroute, but 
more than likely is trying to get an ident from your mail server.

Ident checking is enabled by default on Sendmail, so what you 
may find is that the only sites which you are having problems with 
are mainly ones which are running Sendmail.

Some admins prefer to switch ident checking off, or reduce the 
timeouts.

The ident request is hitting the firewall and getting sent to the bit 
bucket, so the remote end just keeps retrying.

What you can do is allow identd requests (TCP port 113) through 
the firewall, for the NT server. As soon as it hits the NT server, 
which isn't running an Identd, an ICMP port unreachable is sent 
back to the remote end, the Sendmail gives up on waiting for an 
Ident, and accepts the message - or at least thats what should 
happen!

Give it a go and see what you get.

Mike
-- 
Mike Hughes - Network Services         mike@dircon.net
Tel: 0181 297 0300                     http://www.dircon.net/
Fax: 0181 463 9820
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) Pipeline 130 w/ Firewall

From: Chris Lehr <ChrisL@tcginc.com>

Prev by Date: Re: (ASCEND) Using SNMP to monitor PRI's
Next by Date: Re: (ASCEND) Using SNMP to monitor PRI's
Prev by thread: (ASCEND) Pipeline 130 w/ Firewall
Next by thread: (ASCEND) Ascend P75 & Caller-ID
Index(es):
- Main
- Thread