Sqlnet Communication problem

olukayode.olabanji — Tue, 12 Mar 2019 00:55:44 GMT

Hi Community,

I have a challenge getting 2 Oracle servers with each located in "internal" and "DMZ" network segments.

The oracle server on the internal network can communicate with the one on the DMZ but the one on the DMZ can NOT talk to the one on the internal network.

The customer wants the architecture to enable realtime data updates on the Oracle in DMZ.

My config is as follows: I need help.

ciscoasa# wr t

: Saved

ASA Version 8.4(3)

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.1.184.131 Proxy_Server

name 192.168.10.1 Internet_Router

name 10.1.184.122 Mail_Server

name 10.1.184.116 Mail_Server_2

name 10.1.184.121 Mail_Server_3

dns-guard

interface GigabitEthernet0/0

nameif Inside

security-level 100

ip address 10.1.184.1 255.255.248.0 standby 10.1.184.254

interface GigabitEthernet0/1

description LAN/STATE Failover Interface

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.30.1 255.255.255.0 standby 192.168.30.2

interface GigabitEthernet0/3

nameif Outside

security-level 0

ip address 192.168.10.2 255.255.255.0 standby 192.168.10.20

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone GMT 1

dns server-group DefaultDNS

domain-name default.domain.invalid

object network Proxy_Server

host 10.1.184.131

object network Mail_Server

host 10.1.184.122

object network Internet_Router

host 192.168.10.1

description Created during name migration

object network Mail_Server_2

host 10.1.184.116

description Created during name migration

object network Mail_Server_3

host 10.1.184.121

description Created during name migration

object network WebServer1

host 192.168.30.3

object network InternalNetwork

subnet 10.1.184.0 255.55.248.0

object network DMZ-IdentityPool

range 192.168.30.30 192.168.30.254

object network WebServer2

host 192.168.30.4

object network obj-remote

subnet 192.168.0.0 255.255.255.0

object network obj-DMZ

subnet 192.16.30.0 255.255.255.0

object network DatabaseServer

host 10.1.184.134

object network AppServer

host 10.1.184.126

object network MailServer

host 10.1.184.116

access-list Inside_access_in extended permit ip object Proxy_Server any

access-list Inside_access_in extended permit ip host 10.1.184.190 any

access-list Inside_access_in extended permit ip host 10.1.184.83 any

access-list Inside_access_in extended permit icmp host 10.1.184.190 any

access-list Inside_access_in extended permit ip host 10.1.184.67 any inactive

access-list Inside_access_in extended permit ip host 10.1.184.83 object Internet_Router

access-list Inside_access_in extended permit ip host 10.1.184.190 object Internet_Router

access-list Inside_access_in extended permit udp any any

access-list Inside_access_in extended permit icmp any any

access-list Inside_access_in extended permit ip object Mail_Server any

access-list Inside_access_in extended permit tcp object Mail_Server any eq smtp

access-list Inside_access_in extended permit ip object Mail_Server_2 any

access-list Inside_access_in extended permit tcp object Mail_Server_2 any eq smtp

access-list Inside_access_in extended deny tcp any any eq smtp

access-list Inside_access_in extended permit icmp host 10.1.184.43 any

access-list Inside_access_in extended permit ip object Mail_Server_3 any

access-list Inside_access_in extended permit tcp object Mail_Server_3 any eq smtp

access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.3

access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.3 eq www

access-list Inside_access_in extended permit ip host 10.1.184.137 host 10.1.184.133

access-list Inside_access_in extended permit ip host 10.1.184.62 host 10.1.184.133

access-list Inside_access_in extended permit ip host 10.1.184.117 any

access-list Inside_access_in extended permit ip host 10.1.184.117 object Internet_Router

access-list Inside_access_in extended permit ip host 10.1.184.129 any

access-list Inside_access_in extended permit ip host 10.1.184.129 object Internet_Router

access-list Inside_access_in extended permit ip host 10.1.184.150 host 10.1.184.133

access-list Inside_access_in extended permit ip host 10.1.184.150 any

access-list Inside_access_in extended permit ip host 10.1.184.190 host 192.168.30.4

access-list Inside_access_in extended permit tcp object InternalNetwork host 192.168.30.4 eq www

access-list Inside_access_in extended permit tcp host 10.1.184.134 host 192.168.30.4 eq sqlnet

access-list Outside_access_in extended permit udp any eq domain object Proxy_Server

access-list Outside_access_in extended permit icmp object Internet_Router any

access-list Outside_access_in extended permit icmp any host 10.1.184.190

access-list Outside_access_in extended permit icmp any host 10.1.184.83 inactive

access-list Outside_access_in extended permit tcp any object Proxy_Server eq https

access-list Outside_access_in extended permit tcp any object Proxy_Server eq www

access-list Outside_access_in extended permit tcp any object Mail_Server eq smtp inactive

access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq pop3

access-list Outside_access_in extended permit udp any eq domain object Mail_Server_2

access-list Outside_access_in extended permit tcp any object Mail_Server eq imap4 inactive

access-list Outside_access_in extended permit icmp any object Mail_Server inactive

access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq smtp

access-list Outside_access_in extended permit tcp any object Mail_Server_2 eq imap4

access-list Outside_access_in extended permit icmp any object Mail_Server_2

access-list Outside_access_in extended permit icmp any host 10.1.184.43

access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq www

access-list Outside_access_in extended permit tcp any host 192.168.30.3 eq https

access-list Outside_access_in extended permit icmp any host 192.168.30.3

access-list Outside_access_in extended permit icmp any any echo-reply

access-list Outside_access_in extended permit icmp any host 192.168.30.3 echo

access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq www

access-list Outside_access_in extended permit tcp any host 192.168.30.4 eq https

access-list Outside_access_in extended permit icmp any host 192.168.30.4 echo

access-list Outside_access_in extended permit icmp any host 192.168.30.4

access-list branchgroup-SplitACL standard permit 10.0.0.0 255.0.0.0

access-list branchgroup-SplitACL standard permit 192.168.30.0 255.255.255.0

access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp

access-list DMZ_access_in extended permit icmp host 192.168.30.4 any

access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134

access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet

pager lines 24

logging enable

logging timestamp

logging standby

logging emblem

logging list InformationalLog level informational

logging list InformationalLog message 101001

logging buffer-size 16384

logging console notifications

logging monitor errors

logging buffered critical

logging trap errors

logging asdm critical

logging mail informational

logging host Inside 10.1.184.132

logging host Inside 10.1.184.190 6/1470

logging debug-trace

logging ftp-server 10.1.184.190 \\marinasec\akanoa akanoa *****

logging permit-hostdown

logging class auth buffered emergencies trap emergencies

logging class bridge buffered emergencies trap emergencies

logging class config buffered alerts trap emergencies

logging class ip buffered emergencies trap alerts

logging class sys trap alerts

logging class ca trap emergencies

logging class email buffered emergencies trap errors

mtu Inside 1500

mtu DMZ 1500

mtu Outside 1500

mtu management 1500

ip local pool remoteusers 192.168.0.1-192.168.0.254

failover

failover lan unit secondary

failover lan interface stateful_failover GigabitEthernet0/1

failover replication http

failover link stateful_failover GigabitEthernet0/1

failover interface ip stateful_failover 192.168.20.1 255.255.255.252 standby 192.168.20.2

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (DMZ,Outside) source static obj-DMZ obj-DMZ destination static obj-remote obj-remote

nat (Inside,Outside) source static InternalNetwork InternalNetwork destination static obj-remote obj-remote

object network Mail_Server

nat (Inside,Outside) static Mail_Server no-proxy-arp route-lookup

object network WebServer1

nat (DMZ,Outside) static 192.168.30.3 dns

object network WebServer2

nat (DMZ,Outside) static 192.168.30.4 dns

object network DatabaseServer

nat (Inside,DMZ) static 192.168.30.134

object network AppServer

nat (Inside,DMZ) static 192.168.30.126

object network MailServer

nat (Inside,DMZ) static 192.168.30.116

access-group Inside_access_in in interface Inside

access-group DMZ_access_in in interface DMZ

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 Internet_Router 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (Inside) host 10.1.184.119

key *****

aaa-server vpn (Inside) host 10.1.184.120

key *****

user-identity default-domain LOCAL

http server enable

http 10.1.184.190 255.255.255.255 Inside

http 10.1.184.2 255.255.255.255 Inside

http 10.1.184.83 255.255.255.255 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set rmtset esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set ikev1 transform-set rmtset

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface Outside

crypto ikev1 enable Outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet 10.1.184.83 255.255.255.255 Inside

telnet 10.1.184.190 255.255.255.255 Inside

telnet 10.1.184.167 255.255.255.255 Inside

telnet timeout 5

ssh 10.1.184.83 255.255.255.255 Inside

ssh 10.1.184.190 255.255.255.255 Inside

ssh 10.1.184.43 255.255.255.255 Inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy branchgroup internal

group-policy branchgroup attributes

dns-server value 10.1.184.120

split-tunnel-policy tunnelspecified

split-tunnel-network-list value branchgroup-SplitACL

default-domain value marinasecuritieslimited.com

username sannib password 3gB/xWLMBVp/AjjW encrypted

username adebimpel password O./lZ/3rlYD/87u2 encrypted

username ojoawob password w1h9Aq2Welzv1fuW encrypted

username agbajer password NuDaZPLHC0BcF7iI encrypted

username oyenihib password eoxptVEUfczen6VR encrypted

username odewolef password yB12L9t1gcr.Wgx/ encrypted

username mainuser password 8KBTvbq5FOuoFce2 encrypted privilege 15

username maakano password c1Cb3uSluyfsyWUb encrypted

tunnel-group branchgroup type remote-access

tunnel-group branchgroup general-attributes

address-pool remoteusers

default-group-policy branchgroup

tunnel-group branchgroup ipsec-attributes

ikev1 pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:bbe838eb9af33fc84083989823bc0c22

: end

[OK]

ciscoasa#

Re: Sqlnet Communication problem

Jouni Forss — Sun, 03 Feb 2013 17:10:07 GMT

Hi,

Seems to me that you have configured Static NAT from "inside" to "dmz" so that the "inside" servers are visible to the "dmz" with the IP address belonging to the "dmz"

Is this something that you absolutely need? Is there something preventing you from using the IP address ranges on both "inside" and "dmz" and not doing NAT for them at all between those interfaces?

IF you want to keep the current setup intact regarding NAT, change the DMZ ACL to use the actual 10.1.184.x IP addresses as the destination IP address in the ACL.

In other words, always use the Real IP address of the host in the ACL configuration, NOT the NAT IP address. After doing that change I suppose it should also work for "dmz" to "inside". (NAT IP was used in the ACL in the ASA versions 8.2 and below, the Real IP address is used in software 8.3 and above)

Change

access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.116 eq smtp

access-list DMZ_access_in extended permit icmp host 192.168.30.4 any

access-list DMZ_access_in extended permit ip host 192.168.30.4 host 192.168.30.134

access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 192.168.30.134 eq sqlnet

access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.116 eq smtp

access-list DMZ_access_in extended permit icmp host 192.168.30.4 any

access-list DMZ_access_in extended permit ip host 192.168.30.4 host 10.1.184.134

access-list DMZ_access_in extended permit tcp host 192.168.30.4 host 10.1.184.134 eq sqlnet

You can also use the "object" names in the ACL.

Which would be

access-list DMZ_access_in extended permit tcp host 192.168.30.4 object MailServer eq smtp

access-list DMZ_access_in extended permit icmp host 192.168.30.4 any

access-list DMZ_access_in extended permit ip host 192.168.30.4 object DatabaseServer

access-list DMZ_access_in extended permit tcp host 192.168.30.4 object DatabaseServer eq sqlnet

Hope the above helps Please ask more if needed.

- Jouni

topic Sqlnet Communication problem in Network Security

Sqlnet Communication problem

Re: Sqlnet Communication problem