Figure 2-13 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the local address is translated to 209.165.202.130.

Figure 2-13 Policy NAT with Different Destination Ports

The syntax for this configuration example follows:

access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80

access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23

nat (inside) 1 access-list WEB

global (outside) 1 209.165.202.129 255.255.255.255

nat (inside) 2 access-list TELNET

global (outside) 2 209.165.202.130 255.255.255.255

Limitations

The following configuration limitations apply to policy NAT:

•Access lists must contain permit statements only. Access lists for policy NAT cannot contain deny statements.

•An access list must be used only once with the nat command. For example, the following configuration would produce an error:

nat (inside) 1 access-list mylist-A

nat (inside) 2 access-list mylist-A

Whereas, the following configuration would not produce an error:

nat (inside) 1 access-list mylist-A

nat (inside) 2 access-list mylist-B

•Use an access list only once between the nat and static commands.

•A global address cannot be used concurrently for NAT and PAT.

•static commands are matched and executed before nat commands.

•Policy NAT does not support SQL*Net, which is supported by regular NAT.

Notes

Servers	Ports	Descriptions
Port Mapper	449	Port Mapper returns the port number for the requested server.
Sign-on	8476 (9476)	Sign-on is used for every iSeries Access connection to authenticate users and to change passwords. It is also used to retrieve Application Administration settings.
Central	8470 (9470)	Central is used when an iSeries Access license is required. It's also used for downloading conversion tables.
Data Queue	8472 (9472)	Data Queue allows access to the iSeries data queues, used for passing data between applications.
Database	8471 (9471)	Database is used for accessing the OS/400 database.
Remote Command	8475 (9475)	Remote Command is used for sending commands from a PC to an iSeries and for program calls.
File	8473 (9473)	File is used for accessing any part of the OS/400 file system.
Print	8474 (9474)	Print is used to access printers known to the OS/400.
Web Admin	2001 (2010)	Web Admin is used to access Web applications served by the iSeries.
DDM	446 (448)	DDM is used to access data via DRDA. It's also used for record-level access.
Telnet	23 (992)	Telnet is used to access 5250 emulation.
Netserver	137, 138, 139, 8474	Netserver allows access to the OS/400 Integrated File System (IFS) from Windows PCs.
USF	8480	USF (or Ultimedia) is used for multimedia data. (Note: This server is being removed in a future release.)
LDAP	389 (636)	LDAP provides a network directory service.
Management Central	5555 5544 5577 (5566)	Management Central is used to manage multiple iSeries 400s in a network.

Figure 1: These are the ports associated with the servers used by iSeries Access for Windows.

Figure 2 lists some common iSeries Access functions and the servers that they utilize. Using Figure 1 and Figure 2, you should be able to determine which ports you need to open on your firewall. Also, these two tables are available on the iSeries Access Web site, in the Information APARs section. Select II12227. This page is kept up-to-date with the latest information on iSeries Access port usage. There could be additions to this table at any time, although it's likely that changes will be seen only on release boundaries.

Client Access Function	Servers Used
PC5250 display and printer emulation	Sign-on, Central, Telnet
Data transfer	Sign-on, Central, Database
Base iSeries Navigator support	Sign-on, Remote Command
All iSeries Navigator functions	Sign-on, Remote Command, File, Print, Database, Web Admin, Management Central, USF, Netserver, LDAP, Data Queue
ODBC	Sign-on, Database
OLE DB	Sign-on, Database, DDM, Remote Command, Data Queue
AFP Viewer	Sign-on, Print
Client Access Install from iSeries	Netserver
Incoming Remote Command	Uses no specific server, and iSeries port will vary. PC-side port is 512.
Fax support	Sign-on, Print

Notes

if you type in .\ before the username, that will instruct it that you are logging onto the local computer.  so for your Administrator example, you would put in     .\Administrator

Notes

To reset the SST password:
-sign on as QSECOFR
-use the  Change IBM Service Tools Pwd (CHGDSTPWD) command:
CHGDSTPWD PASSWORD(*DEFAULT)
-now go into STRSST, and sign on with user QSECOFR and password QSECOFR
you will be prompted to change the password.

You can access a similar hardware listing without going into SST using the Display Hardware Resources (DSPHDWRSC) command:
DSPHDWRSC TYPE(*AHW) OUTPUT(*PRINT)

Getting Support for Form Types on One or More Remote Output Queues

Remote writers can support form types; however, you must start the writer with the message option set to *INQMSG (so you get an inquiry message whenever the form type changes) or change the writer after it has started. To start the writer with form type support, use the following operating system command:

STRRMTWTR OUTQ(remote-outq-name) FORMTYPE(*ALL *INQMSG)

To change an existing writer to have form type support, use the following operating system command:

CHGWTR WTR(remote-outq-name) FORMTYPE(*ALL *INQMSG)

After you have done either of these, you will receive message CPA3394 - Load form type '&4' device &5 writer &1 in the writer's message queue whenever the form type changes. However, if the writer ends and restarts automatically or manually without specifying FORMTYPE(*ALL *INQMSG), you will no longer receive message CPA3394.

Notes

Admin Alert: More on Remote OUTQs and Printer Load Form Messages

by Timothy Prickett Morgan

One of the nice things about writing the Admin Alert column is the dedicated readers who fill in the gaps in my knowledge. Several readers e-mailed to correct my assertion last week that remote writers don't send reply messages to your iSeries or AS/400, demonstrating that the auto-answer technique for replying to printer load form messages, which I wrote about a few weeks ago, would indeed work with remote printer output queues.

For the record, I was wrong when I said that you could not auto-answer printer load form messages for remote writers, because OS/400 doesn't allow for these messages with remote output queues. OS/400 remote writers are capable of sending and receiving replies to printer load form messages from remote writers, and here's a sampling of the volumes of e-mail I received on the subject to prove it. I offer these tidbits to add to this column's collective knowledge.

The general reaction to my comments is best summed up in this e-mail from Doug Streifling:

Regarding your column's comment that "remote OUTQs don't care about forms," I beg to differ.

IBM does indeed support forms changes for remote output queues. All of our printers (about 50) are TCP/IP-attached devices. Six of these are used to print checks, and it is vital that the operator is warned if it is time to load check forms. I can assure you that our payroll and accounts-payable people receive a break message to load forms, just like we are used to from days of old. We have done no special programming; we just specify the form type on the print file.

The default for the Form Type options (FORMTYPE) parameter of Start Remote Writer (STRRMTWTR) is FORMTYPE(*ALL *NOMSG), which causes the printer to behave exactly as described in your article (that is, it leaves load form message handling to the remote system). However, if you specify FORMTYPE(*ALL *INQMSG), the remote writer will generate a "load forms" message when a spooled file is sent to the printer that has a form type that is different from the last form type sent. A really easy way to implement load form inquiry messages is to change the STRRMTWTR FORMTYPE parameter command default from *NOMSG to *INQMSG. This solves the problem instantly.

So this means I was half-wrong and that remote output queue writers will send load form type messages back to OS/400, provided that they are started correctly. I tested the above technique on a fresh remote printer output queue, started through Doug's FORMTYPE settings, and it worked. I did receive printer load messages prompting me to load the correct forms before printing started.

But notice that Doug mentioned that you can change the default settings for the STRRMTWTR FORMTYPE parameter to (*ALL *INQMSG) in order to specify that new remote writers will automatically send back inquiry messages. The exact command for doing so was provided by Peter Amstutz:

You can change the command so that you do get load forms messages by changing the FORMTYPE parameter default option to *INQMSG, with the following Change Command Default (CHGCMDDFT) command:

CHGCMDDFT CMD(STRRMTWTR) NEWDFT('FORMTYPE(*ALL *INQMSG)')

Unless specifically overwritten, any remote output queue created with STRRMTWTR will automatically send back printer messages. Your change to the reply list entry would work in this case for a remote writer.

So in two e-mails, I received one quick technique for configuring my remote output queues to receive form messages. But that wasn't the end of it. Another reader wrote in with an additional technique for receiving printer messages from remote writers:

If you use the CHGOUTQ command to put the following string in the Destination Option parameter of your remote output queue, then the reply list entry technique will work.

CHGOUTQ OUTQ(output_queue_name) DESTOPT('XAIX XAUTOQ')

For this technique, only the XAUTOQ string will have an effect on your printer messages, but it's worth putting in both strings to better handle your printouts.

According to IBM documentation, the auto-queue destination option (XAUTOQ) tells OS/400 to send the files directly to the remote system unless the remote printer times out during the operation. During a timeout, the spool files are sent back to your remote output queue using the AS/400's Line Printer Daemon (LPD) server, generating an inquiry message in the process. When the remote writer is running again, it will resend the spool file to the remote system.

I tested the ability of XAUTOQ to generate a form load message on a new remote printer output queue by sending it two consecutive spool files with different form types. Sorry to say, I didn't receive an error message to change the form type. Both files printed automatically without sending out a change form type message. It's possible that I configured my test wrong, so be careful if you decide to try this solution for load form type messages. One reader said it worked and another was unable to verify that claim (although it seems that XAUTOQ by itself might be a good solution for resending spool file output when the remote printer is out of paper or offline).

The XAIX string controls how you print multiple copy spool files to the remote system. Specifying XAIX tells OS/400 that when it's printing multiple copies of the same spool file to the remote system, it should send the printouts multiple times, once for each copy. The default is to send the data once, along with its control commands, with multiple print commands embedded in the control file. According to several sources, using XAIX to control multiple spool file printing is a much more reliable way to do this.

But this reader didn't stop there. He also reminded me that one of the challenges in using TCP/IP printing is to implement page range support, where users print a range of pages from the spool file to the remote writer, rather than printing the entire spool file. Midrange Guru recently published an excellent tip on how to perform page range printing for TCP/IP printers.

So there you have it. My mistake brought out a deeper understanding of how remote output queues work and of how you can apply them to your advantage. Keep those e-mails coming, folks, because we can all learn something from them.

Notes