02-17-2004 08:33 AM - edited 02-20-2020 11:14 PM
Hello everybody,
i need help here, i'm quite new in PIX configuration.
Can PIX allow connection from inside to outside to an OracleServer.
My costumer just need to buy an firewall to protect oracle server.
i have already configured the PIX (without NAT) and i allow the sql*net fixup protocol.
But still the client cannot connect to the oraclesvr.
I've tried to search for some guide and config example but no luck finding it. Can someone please tell me what did i miss ?
Thanks
Ing
02-17-2004 09:32 AM
Hi,
Can you please provide some syslog messages, do the following on the PIX (in config mode),
> logging on
> logging buffer debug
Now on the PIX issue - Sho logging
Can you post the results and hopefully we can see what's going on.
Thanks - Jay
02-17-2004 07:13 PM
Hi Jay,
i'm sorry i cannot give you the logging for now because my costumer's place is too far away from my office.
I'll try to guide the local admin to test it again and mail me the full config i hope it will be enough.
Thanks
Sab
02-18-2004 12:00 AM
Hi Jay,
here's the log i can find,
please suggest
Ing
PIX(config)# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 41 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
111008: User 'enable_15' executed the 'logging buffer debug' command.
302013: Built outbound TCP connection 56 for outside:10.83.56.22/1521 (10.83.56.
22/1521) to inside:10.83.58.100/1042 (10.83.58.100/1042)
602101: PMTU-D packet 44 bytes greater than effective mtu 0, dest_addr=10.83.58.
100, src_addr=10.83.56.22, prot=tcp
602101: PMTU-D packet 40 bytes greater than effective mtu 0, dest_addr=10.83.58.
100, src_addr=10.83.56.22, prot=tcp
602101: PMTU-D packet 40 bytes greater than effective mtu 0, dest_addr=10.83.58.
100, src_addr=10.83.56.22, prot=tcp
602101: PMTU-D packet 44 bytes greater than effective mtu 0, dest_addr=10.83.58.
100, src_addr=10.83.56.22, prot=tcp
PIX(config)# show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX
domain-name tddi.co.id
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol sqlnet 1-10000
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 eq netbios-ssn
10.83.58.0 255.255.255.0
access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 range 1024 600
0 10.83.58.0 255.255.255.0
access-list inside_access_in permit icmp 10.83.58.0 255.255.255.0 10.83.56.0 255
.255.255.0
access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 eq netbios-ssn
10.83.56.0 255.255.255.0
access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 10.83.56.0 255.
255.255.0 eq sqlnet
pager lines 24
logging on
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 10.83.56.4 255.255.255.0
ip address inside 10.83.58.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.83.58.128 255.255.255.255 inside
pdm location 10.83.56.0 255.255.255.0 inside
pdm location 10.83.58.100 255.255.255.255 inside
pdm location 10.83.56.22 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 10.83.58.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.83.58.128 255.255.255.255 inside
http 10.83.58.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.83.56.0 255.255.255.0 inside
telnet 10.83.58.128 255.255.255.255 inside
telnet 10.83.58.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:195cea14e46e3de2bfe27656128087ff
: end
PIX(config)#
02-17-2004 01:54 PM
how does the pix connect to the server? lan? internet?
i'm confused as you mentioned that you need a firewall to protect the server, yet you connected the server outside the pix.
02-17-2004 07:06 PM
Hi Jacko,
the Firewall segments from the old LAN and the other LAN from other companies.
The reason i put it in outside is because
the traffic i want to allow is this oracle application only (for this time).
Or perhaps you recommend the otherwise ?
how about the rules ?
02-17-2004 07:21 PM
so the pix is there to protect the old lan from another company, and the server is located on the another company lan, right?
there are 2 scenarios:
1. old lan hosts initiate the traffic to oracle server, and
2. oracle server initiate the traffic to old lan hosts
if your case is 1, then you don't need to do anything yet the pix should pass the traffic; if your case is 2, then you have to configure nat/static and access lists to make it working
02-17-2004 10:22 PM
Hi there,
no server is still in old network,
they're planning to add another network segment(from another company's)
BUT the traffic they want to allow from this other network to the old one is just the oracle app.
heere's the config file if you want to check it.
Thanks
Sab
PIX# show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxencrypted
passwd xxxxxencrypted
hostname PIX
domain-name tddi.co.id
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol sqlnet 1-10000
names
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 eq netbios-ssn
10.83.58.0 255.255.255.0
access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 range 1024 600
0 10.83.58.0 255.255.255.0
access-list inside_access_in permit icmp 10.83.58.0 255.255.255.0 10.83.56.0 255
.255.255.0
access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 eq netbios-ssn
10.83.56.0 255.255.255.0
access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 10.83.56.0 255.
255.255.0 eq sqlnet
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.83.56.4 255.255.255.0
ip address inside 10.83.58.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.83.58.128 255.255.255.255 inside
pdm location 10.83.56.0 255.255.255.0 inside
pdm location 10.83.58.100 255.255.255.255 inside
pdm location 10.83.56.22 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 10.83.58.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.83.58.128 255.255.255.255 inside
http 10.83.58.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.83.56.0 255.255.255.0 inside
telnet 10.83.58.128 255.255.255.255 inside
telnet 10.83.58.100 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:xxxx
: end
PIX#
02-17-2004 10:44 PM
i would suggest using static command rather than nat0
static (inside,outside) 10.83.58.0 10.83.58.0 netmask 255.255.255.0 0 0
02-17-2004 11:19 PM
Hi Jackko,
what is the command to implement what u just suggest me.
please i'm very new in PIX commands.
thanks
02-19-2004 12:56 PM
this is what we use whenever we don't want a network to be natted. eg. inside to dmz. since both inside and dmz are private so there is no reason why we want to nat the network back and forth.
with your case, i would suggest you to disable the nat0 statement and put in the static command. once you put in the command, the pix will then do the nat by using the same network. one thing has to be noticed is that hosts behind the pix can't browse internet anymore as the netword address is now private.
hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide