cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
933
Views
0
Helpful
4
Replies

How do I prevent NAT'ing on a PIX for users on the 'inside' trying to access an oracle server (SQLnet) on the 'DMZ'?

admin_2
Level 3
Level 3

We have an oracle server off the PIX's DMZ interface (E2) w/ an IP address of 10.10.10.10 /24. The internal users are on the PIX's INSIDE interface (E1) and their subnet is 192.168.1.0 /24. Users on this internal subnet need to access the web; therefore, they are NAT'd out the OUTSIDE interface (E0). However, for these same internal users to access the oracle server (10.10.10.10) on TCP port 1521, they cannot be NAT'd to connect. How do we allow NAT'ing to work for internet access and at the same time prevent NAT'ing to occur when accessing the oracle server on the DMZ?

Here is what I did....

access-list INSIDE permit tcp any any eq 1521

access-group INSIDE in interface inside

nat (inside) 100 0 0

nat (dmz) 100 0 0

global (outside) 100 172.16.1.1

global (dmz) 100 10.10.10.100-10.10.10.200

access-list NoNAT permit ip any host 10.10.10.10

nat (inside) 0 access-list NoNAT

How come this doesn't solve the problem?

We are running Cisco Secure PIX version 5.2(3)

4 Replies 4

Not applicable

try selecting access-lists with subnets.

Example:

clear nat

access-list 101 permit 192.168.1.0 255.255.255.0 host 10.10.10.10

nat (inside) 100 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 101

access-list INSIDE permit tcp any any eq 1521

access-group INSIDE in interface inside

global (outside) 100 172.16.1.1

global (dmz) 100 10.10.10.100-10.10.10.200

if it doesn't work, remove the last global (dmz) statement

otherwise, try upgrading to PIX OS 5.3.2 or to PIX OS 6.1.1

it should work, it is a well-known configuration.

>

>

Hi mate,

I think I know where u'r problem may be,,,and if you can drop me a copy of the config ( ofcourse remove all the sensitive information), and a contact number I will call you back,,,

e-mail : moh_alam@hotmail.com

Moh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: