Solved

Running Oracle database behind a router.

Posted on 2001-07-03
12
782 Views
Last Modified: 2012-06-22
I'm having problem accessing an Oracle database that I have recently placed behind a Netgear RT314 Router. I forwared port 1521 to the server which has a static IP and am able to remotely TNSPING the database through the router's IP. The problem comes when using higher level tools like SQL*Plus and Forms/Reports.
I'm running NT 4.0 on both the client and server machines and connecting via the Internet. I have no problem connecting without the router in place. When checking the port network communications while attempting to connect with SQL*Plus I found that the server ACK's with it's own IP not the IP of the router. Is there something wrong with the NAT configuration?

Also, I had to shut down ZoneAlarm since it blocks incoming traffic from the client IP which is not a static IP and so could not be registered as safe. Any way around this?

One more qusetion. Is there any way to access the router's SYSLOG's? That might make the network traffic patterns a little easier to diagnose.

Thanks.
cyb
0
Comment
Question by:cyberwizz
  • 6
  • 5
12 Comments
 
LVL 4

Expert Comment

by:svindler
ID: 6270579
Any router/firewall protecting an Oracle server needs to now about the sqlnet protocol as it contains ip addresses or names in the payload of the packet. Therefore simple NAT does not work.

You should setup ZoneAlarm to ignore requests to port 1521, if you REALLY want to open your Oracle server to the whole internet.

I don't know about NetGear but isn't it able to send the log to an external syslog server? There are plenty available; personally I use a linux box for the purpose, but I am sure you can find some for NT as well.
Try the ones on http://www.microsoft.com/NTServer/nts/exec/vendors/freeshare/Special.asp#syslog

For a safer setup you might want to do some tunneling instead, for instance using RAS PPTP. This would enable you to have an encrypted tunnel from your client. For info on how to setup this you should probably create a new question in another category.
0
 
LVL 2

Author Comment

by:cyberwizz
ID: 6271408
Do you know if there is any way to configure my NetGear router to understand the sqlnet packets?
If not, would a PPTP tunnel bypass this problem?

Thanks for the syslog tools link, I'll give them a try.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6272174
I don't know NetGear as we almost exclusively use Cisco equipment.
pptp should solve your problem, as the connection setup will be without any translations on the way.
0
 
LVL 2

Author Comment

by:cyberwizz
ID: 6291326
Is port 1723 the only one that I need open for PPTP?

Also I don't seem to have an option on ZoneAlarm to ignore requests based on port number. Is this available in the free version of 2.6.88?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6293049
Yes, 1723 should be sufficient, as far as I remember (don't use pptp myself).

From the info on http://www.zonelabs.com/ I think you need to have ZoneAlarm Pro to be able to block for specific types of connection.
0
 
LVL 5

Expert Comment

by:paulqna
ID: 6299832
View 1:

Maybe a good idea to create a small test network and see if everything works fine before you start to restrict access through firewalls/routers/switches etc...

view 2:
Your clients seems to see te server (tnsping)... does your server "see" the client ?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Author Comment

by:cyberwizz
ID: 6308043
paulqna,

1. Unfortunately that's not possible.
2.Yes.


I managed to get my syslogs to work and discovered that no PPTP traffic is getting through at all. Turns out this is due to the cable modem service. Comcast@Home appears to be completely blocking all VPN traffic.

Can anyone give any help on setting up another kind of tunnel that will forward SQL*Net packets?
0
 
LVL 4

Expert Comment

by:svindler
ID: 6308143
Have you tested whether the router might be able to terminate your pptp-session?
Did you see anything on the router, or are you quite sure, that the isp blocks pptp-traffic?
0
 
LVL 2

Author Comment

by:cyberwizz
ID: 6311359
The snippet below was  seen on comp.dcom.modems.cable
I'm quite sure I could set up some other kind of tunneling, perhaps a more flexible one that's not too difficult to set up or detect. I need some ideas of which to choose, that will work through my router.

----------------------------------------------------------------------------------------------------------------------
Response from Comcast:
---------
Dear Paul,

Thank you for your message.

The Comcast @Home product is, and has always been, designated as a
residential service and does not allow the use of commercial
applications. A VPN or Virtual Private Network is primarily used to
connect Internet users to her or his work LAN from an Internet access
point.  

High traffic telecommuting while utilizing a VPN can adversely affect
the condition of the network while disrupting the connection of our
regular residential subscribers.

To accommodate the needs of our customers who do choose to operate
VPN,
Comcast offers the Comcast @Home Professional product. @Home Pro is
designed to meet the needs of the ever growing population of small
office/home office customers and telecommuters that need to take
advantage of protocols such as VPN. This product will cost $95 per
month, and afford you with standards which differ from the standard
residential product.

If you're interested in upgrading your current Comcast @Home  service
to
Comcast @Home Pro, please e-mail your name, address,  and phone number
to: sales@comcastpc.com. You will be contacted by one of our Comcast
@Home Pro representatives to discuss upgrading from your current
Comcast
@Home residential service.

While VPN is not a prohibited use of the @Home Pro product, Comcast
does
not provide support for VPN technology. All inquiries regarding VPN
should be directed toward your company's network administrator.

Currently, the  Comcast @Work commercial services do provide VPN
support. If your company pays for your internet service, or if you
would
like to use supported VPN or IP tunneling, please contact our
commercial
services at 888-638-4338 or visit www.comcastwork.com.

If there is anything else we can help you with, please contact us.  
Thank you for choosing Comcast@Home.

Nicole
Comcast@Home
Email Response Specialist
----------------------------------------
0
 
LVL 4

Accepted Solution

by:
svindler earned 300 total points
ID: 6311436
You might want to look into ssh tunnelling.
I don't have any experience in it myself, but I have seen it used for tunnelling X, VNC and a few other things.
Most ssh clients are able to support it, including TeraTerm which is free, but you would also need an ssh server. I don't know any ssh servers for NT, but your local Tucows mirror probably has some.

I am quite surprised that your isp block your vpn setup, apparently both in and out of your network, and actually charge you more to do less filtering!

To look into a totally other solution: Do you actually need to have the sqlnet connection or would it be ok to take over your screen and keyboard remotely instead? There are quite a few solutions to do that, including free alternatives.

0
 
LVL 2

Author Comment

by:cyberwizz
ID: 6313682
I have no problem controlling the computer remotely, I'm doing it now actually. But if I can establish a remote connection I could make test connections to the database remotely with Oracle Forms.

Do you know if ssh uses protocol 47(GRE)? That's what PPTP uses.
I'll check up more on ssh, thanks.
0
 
LVL 4

Expert Comment

by:svindler
ID: 6316393
ssh only uses tcp port 22.
Some ssh servers make a call back on ident/auth port, before opening the ssh session.
If possible, turn this off, unless you want to have this extra level of security, which also requires you to have an identd on your client. It will only cause you headaches ;-)

0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now