Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
4
Replies

How do I prevent NAT'ing on a PIX for users on the 'inside' trying to access an oracle server (SQLnet) on the 'DMZ'?

admin_2
Level 3
Level 3

‎06-26-2002 09:33 AM - edited ‎02-20-2020 10:07 PM

We have an oracle server off the PIX's DMZ interface (E2) w/ an IP address of 10.10.10.10 /24. The internal users are on the PIX's INSIDE interface (E1) and their subnet is 192.168.1.0 /24. Users on this internal subnet need to access the web; therefore, they are NAT'd out the OUTSIDE interface (E0). However, for these same internal users to access the oracle server (10.10.10.10) on TCP port 1521, they cannot be NAT'd to connect. How do we allow NAT'ing to work for internet access and at the same time prevent NAT'ing to occur when accessing the oracle server on the DMZ?

Here is what I did....

access-list INSIDE permit tcp any any eq 1521

access-group INSIDE in interface inside

nat (inside) 100 0 0

nat (dmz) 100 0 0

global (outside) 100 172.16.1.1

global (dmz) 100 10.10.10.100-10.10.10.200

access-list NoNAT permit ip any host 10.10.10.10

nat (inside) 0 access-list NoNAT

How come this doesn't solve the problem?

We are running Cisco Secure PIX version 5.2(3)

0 Helpful
4 Replies 4

Not applicable

‎06-26-2002 09:33 AM

try selecting access-lists with subnets.

Example:

clear nat

access-list 101 permit 192.168.1.0 255.255.255.0 host 10.10.10.10

nat (inside) 100 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 101

access-list INSIDE permit tcp any any eq 1521

access-group INSIDE in interface inside

global (outside) 100 172.16.1.1

global (dmz) 100 10.10.10.100-10.10.10.200

if it doesn't work, remove the last global (dmz) statement

otherwise, try upgrading to PIX OS 5.3.2 or to PIX OS 6.1.1

it should work, it is a well-known configuration.

0 Helpful

mohammed-alam
Level 1
Level 1
In response to

‎06-26-2002 12:05 PM

>

0 Helpful

mohammed-alam
Level 1
Level 1
In response to

‎06-26-2002 12:06 PM

>

0 Helpful

mohammed-alam
Level 1
Level 1
In response to

‎06-26-2002 12:08 PM

Hi mate,

I think I know where u'r problem may be,,,and if you can drop me a copy of the config ( ofcourse remove all the sensitive information), and a contact number I will call you back,,,

e-mail : moh_alam@hotmail.com

Moh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card