Re: client---(inside)PIX(outside)---OracleServer

inghau · ‎02-17-2004

Hello everybody,

i need help here, i'm quite new in PIX configuration.

Can PIX allow connection from inside to outside to an OracleServer.

My costumer just need to buy an firewall to protect oracle server.

i have already configured the PIX (without NAT) and i allow the sql*net fixup protocol.

But still the client cannot connect to the oraclesvr.

I've tried to search for some guide and config example but no luck finding it. Can someone please tell me what did i miss ?

Thanks

Ing

jmia · ‎02-17-2004

Hi,

Can you please provide some syslog messages, do the following on the PIX (in config mode),

> logging on

> logging buffer debug

Now on the PIX issue - Sho logging

Can you post the results and hopefully we can see what's going on.

Thanks - Jay

inghau · ‎02-17-2004

Hi Jay,

i'm sorry i cannot give you the logging for now because my costumer's place is too far away from my office.

I'll try to guide the local admin to test it again and mail me the full config i hope it will be enough.

Thanks

Sab

inghau · ‎02-18-2004

Hi Jay,

here's the log i can find,

please suggest

Ing

PIX(config)# show log

Syslog logging: enabled

Facility: 20

Timestamp logging: disabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level debugging, 41 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

111008: User 'enable_15' executed the 'logging buffer debug' command.

302013: Built outbound TCP connection 56 for outside:10.83.56.22/1521 (10.83.56.

22/1521) to inside:10.83.58.100/1042 (10.83.58.100/1042)

602101: PMTU-D packet 44 bytes greater than effective mtu 0, dest_addr=10.83.58.

100, src_addr=10.83.56.22, prot=tcp

602101: PMTU-D packet 40 bytes greater than effective mtu 0, dest_addr=10.83.58.

100, src_addr=10.83.56.22, prot=tcp

602101: PMTU-D packet 40 bytes greater than effective mtu 0, dest_addr=10.83.58.

100, src_addr=10.83.56.22, prot=tcp

602101: PMTU-D packet 44 bytes greater than effective mtu 0, dest_addr=10.83.58.

100, src_addr=10.83.56.22, prot=tcp

PIX(config)# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

domain-name tddi.co.id

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol sqlnet 1-10000

names

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 eq netbios-ssn

10.83.58.0 255.255.255.0

access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 range 1024 600

0 10.83.58.0 255.255.255.0

access-list inside_access_in permit icmp 10.83.58.0 255.255.255.0 10.83.56.0 255

.255.255.0

access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 eq netbios-ssn

10.83.56.0 255.255.255.0

access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 10.83.56.0 255.

255.255.0 eq sqlnet

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 10.83.56.4 255.255.255.0

ip address inside 10.83.58.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.83.58.128 255.255.255.255 inside

pdm location 10.83.56.0 255.255.255.0 inside

pdm location 10.83.58.100 255.255.255.255 inside

pdm location 10.83.56.22 255.255.255.255 outside

pdm history enable

arp timeout 14400

nat (inside) 0 10.83.58.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.83.58.128 255.255.255.255 inside

http 10.83.58.100 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.83.56.0 255.255.255.0 inside

telnet 10.83.58.128 255.255.255.255 inside

telnet 10.83.58.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:195cea14e46e3de2bfe27656128087ff

: end

PIX(config)#

jackko · ‎02-17-2004

how does the pix connect to the server? lan? internet?

i'm confused as you mentioned that you need a firewall to protect the server, yet you connected the server outside the pix.

inghau · ‎02-17-2004

Hi Jacko,

the Firewall segments from the old LAN and the other LAN from other companies.

The reason i put it in outside is because

the traffic i want to allow is this oracle application only (for this time).

Or perhaps you recommend the otherwise ?

how about the rules ?

jackko · ‎02-17-2004

so the pix is there to protect the old lan from another company, and the server is located on the another company lan, right?

there are 2 scenarios:

1. old lan hosts initiate the traffic to oracle server, and

2. oracle server initiate the traffic to old lan hosts

if your case is 1, then you don't need to do anything yet the pix should pass the traffic; if your case is 2, then you have to configure nat/static and access lists to make it working

inghau · ‎02-17-2004

Hi there,

no server is still in old network,

they're planning to add another network segment(from another company's)

BUT the traffic they want to allow from this other network to the old one is just the oracle app.

heere's the config file if you want to check it.

Thanks

Sab

PIX# show run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxencrypted

passwd xxxxxencrypted

hostname PIX

domain-name tddi.co.id

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

no fixup protocol sqlnet 1521

fixup protocol sqlnet 1-10000

names

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 eq netbios-ssn

10.83.58.0 255.255.255.0

access-list outside_access_in permit tcp 10.83.56.0 255.255.255.0 range 1024 600

0 10.83.58.0 255.255.255.0

access-list inside_access_in permit icmp 10.83.58.0 255.255.255.0 10.83.56.0 255

.255.255.0

access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 eq netbios-ssn

10.83.56.0 255.255.255.0

access-list inside_access_in permit tcp 10.83.58.0 255.255.255.0 10.83.56.0 255.

255.255.0 eq sqlnet

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.83.56.4 255.255.255.0

ip address inside 10.83.58.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.83.58.128 255.255.255.255 inside

pdm location 10.83.56.0 255.255.255.0 inside

pdm location 10.83.58.100 255.255.255.255 inside

pdm location 10.83.56.22 255.255.255.255 outside

pdm history enable

arp timeout 14400

nat (inside) 0 10.83.58.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.83.58.128 255.255.255.255 inside

http 10.83.58.100 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.83.56.0 255.255.255.0 inside

telnet 10.83.58.128 255.255.255.255 inside

telnet 10.83.58.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

PIX#

jackko · ‎02-17-2004

i would suggest using static command rather than nat0

static (inside,outside) 10.83.58.0 10.83.58.0 netmask 255.255.255.0 0 0

inghau · ‎02-17-2004

Hi Jackko,

what is the command to implement what u just suggest me.

please i'm very new in PIX commands.

thanks

jackko · ‎02-19-2004

this is what we use whenever we don't want a network to be natted. eg. inside to dmz. since both inside and dmz are private so there is no reason why we want to nat the network back and forth.

with your case, i would suggest you to disable the nat0 statement and put in the static command. once you put in the command, the pix will then do the nat by using the same network. one thing has to be noticed is that hosts behind the pix can't browse internet anymore as the netword address is now private.

hope this helps