Re: Acceder al AS400 desde fuera

[jmonjo]

En el firewall debes de configurar la ip publica dirigirla a la privada, y si quieres hacerlo por los puertos determinidados. Te envio los puertos que se tienen que redirigir Saludos The following information shows how IP Forwarding can be used to configure a Client Access connection to an iSeries through a firewall. Suppose that you want to permit mobile users on the Internet to access your iSeries behind the Firewall using Client Access and Telnet. Since the users are mobile, their IP address is unknown. Assume: 192.168.2.1 is your iSeries's IP address 5.5.5.5 is the public IP address that represents your iSeries on the Internet First, use NAT to map the iSeries's real IP address to its public IP address. NAT is configured on the IBM Firewall for iSeries product by doing the following: From a client behind the firewall, point a web browser at the iSeries, port 2001. For example, if the iSeries is named myas400.priv.abc.com then point the web browser at http://myas400.priv.abc.com:2001 Select the "IBM Firewall for iSeries" link Select "Configuration" in the left frame To configure the NAT settings, select "NAT" in the right frame Click on the "Insert" button Choose "MAP" from the list of actions, and then click on the OK button After configuring the NAT settings (as shown below), select "Configuration" in the left frame To configure the filter rules (settings), select "Filters" in the right frame After configuring the filter settings, select "Administration" in the left frame Select "Status" in the right frame Restart both NAT and Filters If 5.5.5.5 is NOT the non-secure IP address of your Firewall, then you can do this with 1 simple NAT setting:   MAP 192.168.2.1 0 5.5.5.5 0 If 5.5.5.5 is the non-secure IP address of your Firewall, then you will need to add the following NAT settings. In addition, your router must be configured so that all traffic destined to 5.5.5.5 with subnet mask 255.255.255.255 is routed to the non-secure IP address of your firewall.  MAP 192.168.2.1 23 5.5.5.5 23    (For telnet)  MAP 192.168.2.1 449 5.5.5.5 449    (Port Mapper)  MAP 192.168.2.1 8470 5.5.5.5 8470    (Central server - Needed whenever PC5250 or Data Transfer is used)  MAP 192.168.2.1 8471 5.5.5.5 8471    (Database server)  MAP 192.168.2.1 8472 5.5.5.5 8472    (DataQueues server)  MAP 192.168.2.1 8473 5.5.5.5 8473    (File server)  MAP 192.168.2.1 8474 5.5.5.5 8474    (Print server)  MAP 192.168.2.1 8475 5.5.5.5 8475    (Remote command server)  MAP 192.168.2.1 8476 5.5.5.5 8476    (Signon server)  MAP 192.168.2.1 8480 5.5.5.5 8480    (Ultimedia server)  MAP 192.168.2.1 9480 5.5.5.5 9480    (Ultimedia server with SSL on)  MAP 192.168.2.1 5555 5.5.5.5 5555    (Management Central server)  MAP 192.168.2.1 5556 5.5.5.5 5556    (Management Central server with SSL on)   MAP 192.168.2.1 446 5.5.5.5 446    (DDM server - Sometimes used by Client Access OLE DB support)  MAP 192.168.2.1 448 5.5.5.5 448    (DDM server with SSL on)  MAP 192.168.2.1 5110 5.5.5.5 5110    (MAPI server - Needed if these Mail APIs are being used)  MAP 192.168.2.1 992 5.5.5.5 992    (Telnet with SSL on)  MAP 192.168.2.1 9470 5.5.5.5 9470    (Central Server with SSL on)  MAP 192.168.2.1 9471 5.5.5.5 9471    (Database Server with SSL on)  MAP 192.168.2.1 9472 5.5.5.5 9472    (Dataqueues server with SSL on)  MAP 192.168.2.1 9473 5.5.5.5 9473    (File Server with SSL on)  MAP 192.168.2.1 9474 5.5.5.5 9474    (Print Server with SSL on)  MAP 192.168.2.1 9475 5.5.5.5 9475    (Remote command server with SSL on)  MAP 192.168.2.1 9476 5.5.5.5 9476    (Signon server with SSL on) The only required ports are 8476 and 449. The other ports will only need to be opened if you are using a function that they support. Most users will want to open 23, 449, and 8470 thru 8476. Also, be aware that parts of iSeries Operations Navigator, which is part of Client Access, also use port 2001 (and 2010 for SSL) to access the Web Admin server. A mapping rule like those above for the scenario when 5.5.5.5 is the non-secure IP address cannot be used for those 2 ports, since this would cause the firewall not to work (it uses those ports). If you need to use those functions of Operations Navigator from outside of the firewall, then you need to set up your network so that 5.5.5.5 is NOT the non-secure IP address of your Firewall. This means acquiring an additional publicly registered IP address that is NOT the same as the firewall's public IP address. Then, add the following Filter settings: ############################################################### ### Both side settings ############################################################### permit 192.168.2.1 255.255.255.255 0.0.0.0 0.0.0.0 tcp any 0 any 0 both both both f=y l=n t=0 # Permit iSeries replies ############################################################### ### Non-Secure side settings (add filter settings only for the ports you are using (see port descriptions above) ############################################################### permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 23 non-secure both inbound f=y l=n t=0 # Permit Telnet access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 449 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8470 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8471 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8472 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8474 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8475 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8476 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 8480 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9480 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 5555 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 5556 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 446 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 448 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 5110 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 992 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9470 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9471 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9472 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9473 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9474 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9475 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 5.5.5.5 255.255.255.255 tcp ge 1024 eq 9476 non-secure both inbound f=y l=n t=0 # Permit Client Access to iSeries ############################################################### ### Secure side settings (add filter settings only for the ports you are using (see port descriptions above) ############################################################### permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 23 secure both outbound f=y l=n t=0 # Permit Telnet access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 449 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8470 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8471 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8472 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8473 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8474 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8475 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8476 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 8480 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9480 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 5555 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 5556 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 446 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 448 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 5110 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 992 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9470 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9471 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9472 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9473 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9474 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9475 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries permit 0.0.0.0 0.0.0.0 192.168.2.1 255.255.255.255 tcp ge 1024 eq 9476 secure both outbound f=y l=n t=0 # Permit Client Access to iSeries

Juan Monjo