Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Cisco PIX and Sql*Net

Re: Cisco PIX and Sql*Net

From: Niall Litchfield <n-litchfield_at_audit-commission.gov.uk>
Date: Fri, 11 May 2001 10:13:07 +0100
Message-ID: <3afbad26$0$15024$ed9e5944@reading.news.pipex.net> 






We went through this to get


www.schools.audit-commission.gov.uk/schoolfinance online. .



Having put USE_SHARED_SOCKET=TRUE in the registry both the listener and the
databases have to be bounced. We just bounced the database server to be
honest.



From the PIX side we found that the pix needed to include the following
configuration lines initially we only included one of them.



fixup protocol sqlnet <port number>


access-list <access list name> permit tcp host <external machine ip> host
<internal machine ip> eq sqlnet



Differences Our DB server is 8.1.5 but shortly to be upgraded. The OS is
NT4. I believe the PIX software is also pretty much up to date.



HTH




--
Niall Litchfield
Oracle DBA
Audit Commission UK


"Peter Laursen" <pl_at_mail1.remove.this.stofanet.dk> wrote in message

news:WzEK6.2216$h4.587150_at_news101.telia.com...
Hi,

I am having trouble connecting from a client through a Cisco PIX firewall.
Server is 8.1.6 on Win2k, Client is 8.1.6 on Win2k. Listener is standard
config with dedicated serverprocess and tcp port 1521. TNSname 8.0 style on
the client.
When changing ip on the client machine(webserver to be), so sql*net traffic
is not routed through the firewall everything is fine - connection is made
and applikation is running. Connections from other similar clients on the
LAN works fine too. However when changing the ip on the webserver machine
back to be outside, so traffic is routed through the PIX, I get an ora-12535
timeout. Port 1521 is open but I suspect the redirect  fails - the client
never gets to talk with the serverprocess.
Ok, I put USE_SHARED_SOCKET = TRUE in the registry as described in metalink
note 68652.1. This should eliminate the need for redirecting and the client
should be able to talk to the serverprocess with only port 1521 open on the
PIX. I still get ora 12535 though.
A listener.log at tracelvl 16 shows an error on socket 284. ( I dont recall
the exact log, I am at home now).

I know that 8.1.7 has an official bug concerning USE_SHARED_SOCKET. Thats
why I installed 8.1.6 at this customer. Is the USE_SHARED_SOCKET bug in
8.1.6 too? Any ideas other than trying connection manager?

I am not configuring the PIX, another guy is doing that, but he doesnt know
Oracle and I dont understand his firewall speak, so there are communications
problems at more than one level :-) We really dont know if the problem is in
the PIX or in Oracle :-(

At Cisco I found this quote:


"To enable secure database access, the Cisco Secure PIX Firewall series

allows Oracle SQL*Net-based client/server applications to communicate
through the firewall, both with and without network address translation
(NAT). "
So the PIX knows about the sql*net protocol, but what does this actually
mean? Does this mean that the PIX has an Sql*net proxy?

TIA
Peter Laursen


Received on Fri May 11 2001 - 04:13:07 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US