Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 860
  • Last Modified:

Running Oracle database behind a router.

I'm having problem accessing an Oracle database that I have recently placed behind a Netgear RT314 Router. I forwared port 1521 to the server which has a static IP and am able to remotely TNSPING the database through the router's IP. The problem comes when using higher level tools like SQL*Plus and Forms/Reports.
I'm running NT 4.0 on both the client and server machines and connecting via the Internet. I have no problem connecting without the router in place. When checking the port network communications while attempting to connect with SQL*Plus I found that the server ACK's with it's own IP not the IP of the router. Is there something wrong with the NAT configuration?

Also, I had to shut down ZoneAlarm since it blocks incoming traffic from the client IP which is not a static IP and so could not be registered as safe. Any way around this?

One more qusetion. Is there any way to access the router's SYSLOG's? That might make the network traffic patterns a little easier to diagnose.

  • 6
  • 5
1 Solution
Any router/firewall protecting an Oracle server needs to now about the sqlnet protocol as it contains ip addresses or names in the payload of the packet. Therefore simple NAT does not work.

You should setup ZoneAlarm to ignore requests to port 1521, if you REALLY want to open your Oracle server to the whole internet.

I don't know about NetGear but isn't it able to send the log to an external syslog server? There are plenty available; personally I use a linux box for the purpose, but I am sure you can find some for NT as well.
Try the ones on

For a safer setup you might want to do some tunneling instead, for instance using RAS PPTP. This would enable you to have an encrypted tunnel from your client. For info on how to setup this you should probably create a new question in another category.
cyberwizzAuthor Commented:
Do you know if there is any way to configure my NetGear router to understand the sqlnet packets?
If not, would a PPTP tunnel bypass this problem?

Thanks for the syslog tools link, I'll give them a try.
I don't know NetGear as we almost exclusively use Cisco equipment.
pptp should solve your problem, as the connection setup will be without any translations on the way.
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

cyberwizzAuthor Commented:
Is port 1723 the only one that I need open for PPTP?

Also I don't seem to have an option on ZoneAlarm to ignore requests based on port number. Is this available in the free version of 2.6.88?
Yes, 1723 should be sufficient, as far as I remember (don't use pptp myself).

From the info on I think you need to have ZoneAlarm Pro to be able to block for specific types of connection.
View 1:

Maybe a good idea to create a small test network and see if everything works fine before you start to restrict access through firewalls/routers/switches etc...

view 2:
Your clients seems to see te server (tnsping)... does your server "see" the client ?
cyberwizzAuthor Commented:

1. Unfortunately that's not possible.

I managed to get my syslogs to work and discovered that no PPTP traffic is getting through at all. Turns out this is due to the cable modem service. Comcast@Home appears to be completely blocking all VPN traffic.

Can anyone give any help on setting up another kind of tunnel that will forward SQL*Net packets?
Have you tested whether the router might be able to terminate your pptp-session?
Did you see anything on the router, or are you quite sure, that the isp blocks pptp-traffic?
cyberwizzAuthor Commented:
The snippet below was  seen on comp.dcom.modems.cable
I'm quite sure I could set up some other kind of tunneling, perhaps a more flexible one that's not too difficult to set up or detect. I need some ideas of which to choose, that will work through my router.

Response from Comcast:
Dear Paul,

Thank you for your message.

The Comcast @Home product is, and has always been, designated as a
residential service and does not allow the use of commercial
applications. A VPN or Virtual Private Network is primarily used to
connect Internet users to her or his work LAN from an Internet access

High traffic telecommuting while utilizing a VPN can adversely affect
the condition of the network while disrupting the connection of our
regular residential subscribers.

To accommodate the needs of our customers who do choose to operate
Comcast offers the Comcast @Home Professional product. @Home Pro is
designed to meet the needs of the ever growing population of small
office/home office customers and telecommuters that need to take
advantage of protocols such as VPN. This product will cost $95 per
month, and afford you with standards which differ from the standard
residential product.

If you're interested in upgrading your current Comcast @Home  service
Comcast @Home Pro, please e-mail your name, address,  and phone number
to: You will be contacted by one of our Comcast
@Home Pro representatives to discuss upgrading from your current
@Home residential service.

While VPN is not a prohibited use of the @Home Pro product, Comcast
not provide support for VPN technology. All inquiries regarding VPN
should be directed toward your company's network administrator.

Currently, the  Comcast @Work commercial services do provide VPN
support. If your company pays for your internet service, or if you
like to use supported VPN or IP tunneling, please contact our
services at 888-638-4338 or visit

If there is anything else we can help you with, please contact us.  
Thank you for choosing Comcast@Home.

Email Response Specialist
You might want to look into ssh tunnelling.
I don't have any experience in it myself, but I have seen it used for tunnelling X, VNC and a few other things.
Most ssh clients are able to support it, including TeraTerm which is free, but you would also need an ssh server. I don't know any ssh servers for NT, but your local Tucows mirror probably has some.

I am quite surprised that your isp block your vpn setup, apparently both in and out of your network, and actually charge you more to do less filtering!

To look into a totally other solution: Do you actually need to have the sqlnet connection or would it be ok to take over your screen and keyboard remotely instead? There are quite a few solutions to do that, including free alternatives.

cyberwizzAuthor Commented:
I have no problem controlling the computer remotely, I'm doing it now actually. But if I can establish a remote connection I could make test connections to the database remotely with Oracle Forms.

Do you know if ssh uses protocol 47(GRE)? That's what PPTP uses.
I'll check up more on ssh, thanks.
ssh only uses tcp port 22.
Some ssh servers make a call back on ident/auth port, before opening the ssh session.
If possible, turn this off, unless you want to have this extra level of security, which also requires you to have an identd on your client. It will only cause you headaches ;-)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now