as/400 v4r2 NAT - IBM AS400

This is a discussion on as/400 v4r2 NAT - IBM AS400 ; I have a v4r2 as/400 server with the telnet service and ftp the service enabled. I can access these services perfectly from my intranet, however, when I tell my router, to show (forward) this services to the world, they don't ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: as/400 v4r2 NAT

  1. as/400 v4r2 NAT

    I have a v4r2 as/400 server with the telnet service and ftp the service
    enabled.

    I can access these services perfectly from my intranet, however, when I
    tell my router, to show (forward) this services to the world, they
    don't work.

    I've tested another machine (windows 2000), and installed the telnet
    server there (KTS, real nice), everything worked just fine. (so it's
    not the router's fault)

    My guess is that the AS/400 security policy doesn't let me access the
    information from arround the world, just the intranet.

    I have full access privileges to this machine (QSECOFR, QSECADM), but I
    have no clue on to where to set this value (to let people from the
    outside log in).

    I need this so I can give remote access trough client access, spooling
    services, etc, to people outside my intranet.


    Should I use a VPN ?.
    --
    Any help will be greatly appreciated.






















    Anything will do






















    Seriously people, we are kinda desperate arround here!

















    HELP!


  2. Re: as/400 v4r2 NAT

    On 14 Dec 2006 06:02:42 -0800, "fel" wrote:

    >I have a v4r2 as/400 server with the telnet service and ftp the service
    >enabled.
    >
    >I can access these services perfectly from my intranet, however, when I
    >tell my router, to show (forward) this services to the world, they
    >don't work.
    >
    >I've tested another machine (windows 2000), and installed the telnet
    >server there (KTS, real nice), everything worked just fine. (so it's
    >not the router's fault)
    >
    >My guess is that the AS/400 security policy doesn't let me access the
    >information from arround the world, just the intranet.
    >
    >I have full access privileges to this machine (QSECOFR, QSECADM), but I
    >have no clue on to where to set this value (to let people from the
    >outside log in).
    >
    >I need this so I can give remote access trough client access, spooling
    >services, etc, to people outside my intranet.


    The ports required for FTP are 20 and 21.
    The port you need to open for telnet is 23.

    But if your Windows box is working then that's not the issue.

    Using CFGTCP, check option 2 and make sure that the next hop is
    pointing to your router.

    >Should I use a VPN ?.


    Once you get it working, yes.

    Having said that, I have machines with open FTP ports, but they have
    an exit program that will only allow a certain user/pwd combo to gain
    access. If the user/pwd combo is non-trivial, that makes it pretty
    secure. I see people trying to hack said machines all the time (once
    for 24 hours straight!) but without the user/pwd they're not getting
    in.

    You could probably extrapolate that concept to Telnet as well. If
    you're not using any default user/pwd combos then you're fairly safe
    there too. Use the ANZDFTPWD command to see if you have any problems.

    Keep in mind that without a VPN, your data is being sent in the open.
    Which for most folks isn't too big a show stopper. If I understand
    the technology correctly, someone would have to tap your phone line in
    order to see the data. Most of us aren't important enough for someone
    to go to that effort.

  3. Re: as/400 v4r2 NAT


    Scott Coffey wrote:
    > On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
    >
    > >I have a v4r2 as/400 server with the telnet service and ftp the service
    > >enabled.
    > >
    > >I can access these services perfectly from my intranet, however, when I
    > >tell my router, to show (forward) this services to the world, they
    > >don't work.
    > >
    > >I've tested another machine (windows 2000), and installed the telnet
    > >server there (KTS, real nice), everything worked just fine. (so it's
    > >not the router's fault)
    > >
    > >My guess is that the AS/400 security policy doesn't let me access the
    > >information from arround the world, just the intranet.
    > >
    > >I have full access privileges to this machine (QSECOFR, QSECADM), but I
    > >have no clue on to where to set this value (to let people from the
    > >outside log in).
    > >
    > >I need this so I can give remote access trough client access, spooling
    > >services, etc, to people outside my intranet.

    >
    > The ports required for FTP are 20 and 21.
    > The port you need to open for telnet is 23.
    >
    > But if your Windows box is working then that's not the issue.
    >


    correct.

    > Using CFGTCP, check option 2 and make sure that the next hop is
    > pointing to your router.
    >


    It's sad for me to see how litle I know about these topics.
    the internet used to be fun when I was just a user, and didn't know
    anything about how it works.

    now its my duty to know how some parts of it works...

    for instance, this part:


    ADDTCPRTE

    you tell me that I should put in next hop field the router address.
    but I dobn't know what to put in the other fields,
    various experiments prove futile.

    please help.


    > >Should I use a VPN ?.

    >
    > Once you get it working, yes.
    >
    > Having said that, I have machines with open FTP ports, but they have
    > an exit program that will only allow a certain user/pwd combo to gain
    > access. If the user/pwd combo is non-trivial, that makes it pretty
    > secure. I see people trying to hack said machines all the time (once
    > for 24 hours straight!) but without the user/pwd they're not getting
    > in.
    >
    > You could probably extrapolate that concept to Telnet as well. If
    > you're not using any default user/pwd combos then you're fairly safe
    > there too. Use the ANZDFTPWD command to see if you have any problems.
    >
    > Keep in mind that without a VPN, your data is being sent in the open.
    > Which for most folks isn't too big a show stopper. If I understand
    > the technology correctly, someone would have to tap your phone line in
    > order to see the data.


    wasn't SNA encrypted?

    > Most of us aren't important enough for someone
    > to go to that effort.



  4. Re: as/400 v4r2 NAT


    fel wrote:
    > Scott Coffey wrote:
    > > On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
    > >
    > > >I have a v4r2 as/400 server with the telnet service and ftp the service
    > > >enabled.
    > > >
    > > >I can access these services perfectly from my intranet, however, when I
    > > >tell my router, to show (forward) this services to the world, they
    > > >don't work.
    > > >
    > > >I've tested another machine (windows 2000), and installed the telnet
    > > >server there (KTS, real nice), everything worked just fine. (so it's
    > > >not the router's fault)
    > > >
    > > >My guess is that the AS/400 security policy doesn't let me access the
    > > >information from arround the world, just the intranet.
    > > >
    > > >I have full access privileges to this machine (QSECOFR, QSECADM), but I
    > > >have no clue on to where to set this value (to let people from the
    > > >outside log in).
    > > >
    > > >I need this so I can give remote access trough client access, spooling
    > > >services, etc, to people outside my intranet.

    > >
    > > The ports required for FTP are 20 and 21.
    > > The port you need to open for telnet is 23.
    > >
    > > But if your Windows box is working then that's not the issue.
    > >

    >
    > correct.
    >
    > > Using CFGTCP, check option 2 and make sure that the next hop is
    > > pointing to your router.
    > >

    >
    > It's sad for me to see how litle I know about these topics.
    > the internet used to be fun when I was just a user, and didn't know
    > anything about how it works.
    >
    > now its my duty to know how some parts of it works...
    >
    > for instance, this part:
    >
    >
    > ADDTCPRTE
    >
    > you tell me that I should put in next hop field the router address.
    > but I dobn't know what to put in the other fields,
    > various experiments prove futile.
    >
    > please help.
    >
    >
    > > >Should I use a VPN ?.

    > >
    > > Once you get it working, yes.
    > >
    > > Having said that, I have machines with open FTP ports, but they have
    > > an exit program that will only allow a certain user/pwd combo to gain
    > > access. If the user/pwd combo is non-trivial, that makes it pretty
    > > secure. I see people trying to hack said machines all the time (once
    > > for 24 hours straight!) but without the user/pwd they're not getting
    > > in.
    > >
    > > You could probably extrapolate that concept to Telnet as well. If
    > > you're not using any default user/pwd combos then you're fairly safe
    > > there too. Use the ANZDFTPWD command to see if you have any problems.
    > >
    > > Keep in mind that without a VPN, your data is being sent in the open.
    > > Which for most folks isn't too big a show stopper. If I understand
    > > the technology correctly, someone would have to tap your phone line in
    > > order to see the data.

    >
    > wasn't SNA encrypted?
    >
    > > Most of us aren't important enough for someone
    > > to go to that effort.





    thanks, it seems to work now, lots of testing to be done...


  5. Re: as/400 v4r2 NAT

    On 14 Dec 2006 08:55:43 -0800, "fel" wrote:

    >
    >fel wrote:
    >> Scott Coffey wrote:
    >> > On 14 Dec 2006 06:02:42 -0800, "fel" wrote:
    >> >
    >> > >I have a v4r2 as/400 server with the telnet service and ftp the service
    >> > >enabled.
    >> > >
    >> > >I can access these services perfectly from my intranet, however, when I
    >> > >tell my router, to show (forward) this services to the world, they
    >> > >don't work.
    >> > >
    >> > >I've tested another machine (windows 2000), and installed the telnet
    >> > >server there (KTS, real nice), everything worked just fine. (so it's
    >> > >not the router's fault)
    >> > >
    >> > >My guess is that the AS/400 security policy doesn't let me access the
    >> > >information from arround the world, just the intranet.
    >> > >
    >> > >I have full access privileges to this machine (QSECOFR, QSECADM), but I
    >> > >have no clue on to where to set this value (to let people from the
    >> > >outside log in).
    >> > >
    >> > >I need this so I can give remote access trough client access, spooling
    >> > >services, etc, to people outside my intranet.
    >> >
    >> > The ports required for FTP are 20 and 21.
    >> > The port you need to open for telnet is 23.
    >> >
    >> > But if your Windows box is working then that's not the issue.
    >> >

    >>
    >> correct.
    >>
    >> > Using CFGTCP, check option 2 and make sure that the next hop is
    >> > pointing to your router.
    >> >

    >>
    >> It's sad for me to see how litle I know about these topics.
    >> the internet used to be fun when I was just a user, and didn't know
    >> anything about how it works.
    >>
    >> now its my duty to know how some parts of it works...
    >>
    >> for instance, this part:
    >>
    >>
    >> ADDTCPRTE
    >>
    >> you tell me that I should put in next hop field the router address.
    >> but I dobn't know what to put in the other fields,
    >> various experiments prove futile.
    >>
    >> please help.
    >>
    >>
    >> > >Should I use a VPN ?.
    >> >
    >> > Once you get it working, yes.
    >> >
    >> > Having said that, I have machines with open FTP ports, but they have
    >> > an exit program that will only allow a certain user/pwd combo to gain
    >> > access. If the user/pwd combo is non-trivial, that makes it pretty
    >> > secure. I see people trying to hack said machines all the time (once
    >> > for 24 hours straight!) but without the user/pwd they're not getting
    >> > in.
    >> >
    >> > You could probably extrapolate that concept to Telnet as well. If
    >> > you're not using any default user/pwd combos then you're fairly safe
    >> > there too. Use the ANZDFTPWD command to see if you have any problems.
    >> >
    >> > Keep in mind that without a VPN, your data is being sent in the open.
    >> > Which for most folks isn't too big a show stopper. If I understand
    >> > the technology correctly, someone would have to tap your phone line in
    >> > order to see the data.

    >>
    >> wasn't SNA encrypted?
    >>
    >> > Most of us aren't important enough for someone
    >> > to go to that effort.

    >
    >
    >
    >
    >thanks, it seems to work now, lots of testing to be done...


    Good luck!

  6. Re: as/400 v4r2 NAT

    Go here and read up:

    http://www-922.ibm.com/easy400p/fram...l?url=/tcpcfgs

    fel wrote:
    > I have a v4r2 as/400 server with the telnet service and ftp the service
    > enabled.


+ Reply to Thread