Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I prevent NAT'ing on a PIX for users on the 'inside' trying to access an oracle server (SQLnet) on the 'DMZ'?

We have an oracle server off the PIX's DMZ interface (E2) w/ an IP address of 10.10.10.10 /24. The internal users are on the PIX's INSIDE interface (E1) and their subnet is 192.168.1.0 /24. Users on this internal subnet need to access the web; therefore, they are NAT'd out the OUTSIDE interface (E0). However, for these same internal users to access the oracle server (10.10.10.10) on TCP port 1521, they cannot be NAT'd to connect. How do we allow NAT'ing to work for internet access and at the same time prevent NAT'ing to occur when accessing the oracle server on the DMZ?

Here is what I did....

access-list INSIDE permit tcp any any eq 1521

access-group INSIDE in interface inside

nat (inside) 100 0 0

nat (dmz) 100 0 0

global (outside) 100 172.16.1.1

global (dmz) 100 10.10.10.100-10.10.10.200

access-list NoNAT permit ip any host 10.10.10.10

nat (inside) 0 access-list NoNAT

How come this doesn't solve the problem?

We are running Cisco Secure PIX version 5.2(3)

  • Other Security Subjects
4 REPLIES
Anonymous
N/A

Re: How do I prevent NAT'ing on a PIX for users on the 'inside'

try selecting access-lists with subnets.

Example:

clear nat

access-list 101 permit 192.168.1.0 255.255.255.0 host 10.10.10.10

nat (inside) 100 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 101

access-list INSIDE permit tcp any any eq 1521

access-group INSIDE in interface inside

global (outside) 100 172.16.1.1

global (dmz) 100 10.10.10.100-10.10.10.200

if it doesn't work, remove the last global (dmz) statement

otherwise, try upgrading to PIX OS 5.3.2 or to PIX OS 6.1.1

it should work, it is a well-known configuration.

New Member

Re: How do I prevent NAT'ing on a PIX for users on the 'inside'

>

New Member

Re: How do I prevent NAT'ing on a PIX for users on the 'inside'

>

New Member

Re: How do I prevent NAT'ing on a PIX for users on the 'inside'

Hi mate,

I think I know where u'r problem may be,,,and if you can drop me a copy of the config ( ofcourse remove all the sensitive information), and a contact number I will call you back,,,

e-mail : moh_alam@hotmail.com

Moh

90
Views
0
Helpful
4
Replies