CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 13 of 13

Thread: SQLNET and NAT

  1. #1
    Join Date
    2017-06-12
    Posts
    8
    Rep Power
    0

    Default SQLNET and NAT

    I know there's been some talk about Sqlnet in this forum, but I've got a slightly different situation here in which I have Sqlnet/Oracle TNS (1521) traffic traversing a NAT and then causing a problem.

    When the servers negotiate the IP address and protocol via Sqlnet/TNS, the NAT-translated server sends its non-translated IP address across in the payload portion of the packet causing this communication problem.


    I've read in a few places where NAT inspection can penetrate the payload of the packet and rewrite it in other firewall vendors but I'm unsure if that's an option in Checkpoint, or if it's a very good idea.

    Management is R80, Gateways are R77.30.


    Thoughts?

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: SQLNET and NAT

    Quote Originally Posted by tmatuschak View Post
    I know there's been some talk about Sqlnet in this forum, but I've got a slightly different situation here in which I have Sqlnet/Oracle TNS (1521) traffic traversing a NAT and then causing a problem.

    When the servers negotiate the IP address and protocol via Sqlnet/TNS, the NAT-translated server sends its non-translated IP address across in the payload portion of the packet causing this communication problem.


    I've read in a few places where NAT inspection can penetrate the payload of the packet and rewrite it in other firewall vendors but I'm unsure if that's an option in Checkpoint, or if it's a very good idea.

    Management is R80, Gateways are R77.30.


    Thoughts?
    What service object are you using in the security rule and in the NAT rule?

    Go into the advanced properties of that service object. What protocol is selected?

    Are you using TLS on this connection? If so, keep in mind that no firewall will be able to see inside the traffic. If it's going across the Internet, I really, really hope you're using TLS.
    Zimmie

  3. #3
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    999
    Rep Power
    12

    Default Re: SQLNET and NAT

    I have no experience with sqlnet, but found this article
    I guess(!) sqlnet2 CP predefined service should be used for redirected sessions (rewritten src/nat/port)?


    http://packetpushers.net/sqlnet-a-k-...and-firewalls/

  4. #4
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: SQLNET and NAT

    Quote Originally Posted by tmatuschak View Post
    I've read in a few places where NAT inspection can penetrate the payload of the packet and rewrite it in other firewall vendors but I'm unsure if that's an option in Checkpoint, or if it's a very good idea.

    Management is R80, Gateways are R77.30.
    Thoughts?
    yes, it can for services such as "telnet" and FTP because those are "clear" text protocol.

    back to your situation, how did you test? are you using Oracle sqlnet client to test or are you using 3rd party JDBC/ODBC to test?

  5. #5
    Join Date
    2017-06-12
    Posts
    8
    Rep Power
    0

    Default Re: SQLNET and NAT

    Quote Originally Posted by cciesec2006 View Post
    yes, it can for services such as "telnet" and FTP because those are "clear" text protocol.

    back to your situation, how did you test? are you using Oracle sqlnet client to test or are you using 3rd party JDBC/ODBC to test?
    A little more on the environment and more details are as follows:


    Wide open VPN (accept all encrypted); any/any/all on the NAT rules. One of our internal ranges is NAT'd across due to it being a public IP address spaced used privately on accident.

    Given that, the "easy" solution is to re-IP the server, but the reconfiguration of which will be a pain for other reasons. Despite this, however, it is the solution I am currently pushing towards - but any help on this matter would be appreciated because knowledge is power.

    --

    To test it, I had Wireshark installed on both servers.

    Just as a key: The translated server has the public IP, and the foreign server is across the VPN but has a regular private address and communicates as per the norm.

    In the capture I can see it make the connection and as per the norm of the TNS protocol, where the translated server receives the TNS connection with the "ping" option, and then replies to the foreign server with a "refuse" but stating it is a TNS listener (this is normal).

    In the next step, the translated machine then receives a real "connect" (to database) request. The translated server replies and says to "redirect" it using the public IP it has in its configuration and not the translated IP address. The foreign server then attempts to respond back to this IP, but since it is a public range, it routes out to the internet and thusly into oblivion.

    All in all, NAT is working properly, however I was just wondering if there was a method in which the firewall could inspect these packets and rewrite the address within the payload as well. I am not sure if TLS is on with this connection - I don't think it is, but that would make sense that if it were on it cannot happen due to the encryption without TLS decryption being enabled.


    The IP in the configuration file could also likely be changed, as it is separate from the actual IP address of the machine, but then this would ruin all internal communication which uses that public IP address.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: SQLNET and NAT

    What service is showing in the logs and what does that service show in the advanced section for protocol? abusharif pointed out the sqlnet2 inspection should support sqlnet redirect based on the write up. Granted i don't see that documented on checkpoint's site but its worth a try.

    In Checkpoint firewalls, there are two ALGs for SQL*Net: “sqlnet1” and “sqlnet2.” sqlnet1 should be used for non-redirected sessions and sqlnet2 should be used for redirected sessions. The implication is that non-redirected sessions evaluated against sqlnet2 could negatively impact the CPU of the firewall.

  7. #7
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: SQLNET and NAT

    Quote Originally Posted by tmatuschak View Post
    A little more on the environment and more details are as follows:


    Wide open VPN (accept all encrypted); any/any/all on the NAT rules. One of our internal ranges is NAT'd across due to it being a public IP address spaced used privately on accident.

    Given that, the "easy" solution is to re-IP the server, but the reconfiguration of which will be a pain for other reasons. Despite this, however, it is the solution I am currently pushing towards - but any help on this matter would be appreciated because knowledge is power.

    --

    To test it, I had Wireshark installed on both servers.

    Just as a key: The translated server has the public IP, and the foreign server is across the VPN but has a regular private address and communicates as per the norm.

    In the capture I can see it make the connection and as per the norm of the TNS protocol, where the translated server receives the TNS connection with the "ping" option, and then replies to the foreign server with a "refuse" but stating it is a TNS listener (this is normal).

    In the next step, the translated machine then receives a real "connect" (to database) request. The translated server replies and says to "redirect" it using the public IP it has in its configuration and not the translated IP address. The foreign server then attempts to respond back to this IP, but since it is a public range, it routes out to the internet and thusly into oblivion.

    All in all, NAT is working properly, however I was just wondering if there was a method in which the firewall could inspect these packets and rewrite the address within the payload as well. I am not sure if TLS is on with this connection - I don't think it is, but that would make sense that if it were on it cannot happen due to the encryption without TLS decryption being enabled.


    The IP in the configuration file could also likely be changed, as it is separate from the actual IP address of the machine, but then this would ruin all internal communication which uses that public IP address.
    I am very confused by your explaination. Can you explain it one more time? Which one is the oracle client and which one is the Oracle server? Be precised as much as you can.

    When you mentioned "TNS connection with the "ping" option", what does it mean, ICMP? I am using sqlplus and JDBC connection and I am not seeing such a thing.

    If you see "refused", it means that the TNS listener is NOT listening but I can't tell based on what you explained above.

    FWIW, I have oracle server 12c behind the firewall with private IP address and that I NAT'ed it out with public IP address. From the Internet, I can connect to the Oracle server listener public IP address and the Oracle server responds correct with NAT on the checkpoint firewall without any issues. I am running R77.30 with JHFA 216.
    Last edited by cciesec2006; 2 Weeks Ago at 20:06.

  8. #8
    Join Date
    2017-06-12
    Posts
    8
    Rep Power
    0

    Default Re: SQLNET and NAT

    Here's a crude little diagram of what's going on here:

    167.75.1.1 <c--- Firewall <b--- [NAT] (10.250.40.1) <a--- 10.100.1.1
    167.75.1.1 ---d> Firewall ---e> [NAT] (10.250.40.1) ---f> 10.100.1.1

    167.75.1.1 is the Oracle server, 10.250.40.1 is the NAT'd IP address of this server, and 10.100.1.1 is the remote client across the VPN.

    My problem is that, in step d of this exchange, the Oracle server sends a redirect in the TNS packet data saying "Hey, use my IP address of 167.75.1.1!". Since it's in the data portion of the packet, and not the TCP header, it does not get translated.

    The Checkpoint itself is identifying all of these packets as TNS, and logging them under the TNS service, but I know the sqlnet protocol is also closely related and some of the connections it makes to other servers across the VPN show up as sqlnet and sqlnet2 respectively.

  9. #9
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: SQLNET and NAT

    Quote Originally Posted by tmatuschak View Post
    Here's a crude little diagram of what's going on here:

    167.75.1.1 <c--- Firewall <b--- [NAT] (10.250.40.1) <a--- 10.100.1.1
    167.75.1.1 ---d> Firewall ---e> [NAT] (10.250.40.1) ---f> 10.100.1.1

    167.75.1.1 is the Oracle server, 10.250.40.1 is the NAT'd IP address of this server, and 10.100.1.1 is the remote client across the VPN.

    My problem is that, in step d of this exchange, the Oracle server sends a redirect in the TNS packet data saying "Hey, use my IP address of 167.75.1.1!". Since it's in the data portion of the packet, and not the TCP header, it does not get translated.

    The Checkpoint itself is identifying all of these packets as TNS, and logging them under the TNS service, but I know the sqlnet protocol is also closely related and some of the connections it makes to other servers across the VPN show up as sqlnet and sqlnet2 respectively.
    Ok. so your setup is the same as mine and mine works but not yours :-(. We 're getting somewhere.

    Can you tell me what client of client do you use on the host 10.100.1.1. Is this Oracle sqlplus or Oracle JDBC? Since you're using 1521, everything is clear text over the wire, with the exception fo the password.

  10. #10
    Join Date
    2017-06-12
    Posts
    8
    Rep Power
    0

    Default Re: SQLNET and NAT

    This is Oracle SQLPlus. It's an older version, running 9.2.0.8.0.

  11. #11
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: SQLNET and NAT

    Quote Originally Posted by tmatuschak View Post
    This is Oracle SQLPlus. It's an older version, running 9.2.0.8.0.
    Unfortunately, I can't help you out because my oldest Oracle database is Oracle 10g version 10.2.0.1.0. Same with sqlplus and it works just fine.

    can you test out with ODBC or JDBC connection? what happen when you perform "telnet 10.250.240.1 1521", do you see a connect with 3 ways handshake?

  12. #12
    Join Date
    2017-06-12
    Posts
    8
    Rep Power
    0

    Default Re: SQLNET and NAT

    Telnet on the port is fine and there is a three way handshake. I won't be able to test much further at the moment due to some politics on how the testing is handled, however they have accepted my other solution (changing the IP) and we're set to go with that idea.

    Just a yucky situation altogether.

  13. #13
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: SQLNET and NAT

    Quote Originally Posted by tmatuschak View Post
    Telnet on the port is fine and there is a three way handshake. I won't be able to test much further at the moment due to some politics on how the testing is handled, however they have accepted my other solution (changing the IP) and we're set to go with that idea.

    Just a yucky situation altogether.
    May be I am missing something but I just do not see how re-IP the server, let say from 167.75.1.1 to 10.250.40.1, will solve your issue, especially since this is SQLnet 1521 and tcp 3-way handshake works,

    I am also puzzled by this comment:

    To test it, I had Wireshark installed on both servers.

    Just as a key: The translated server has the public IP, and the foreign server is across the VPN but has a regular private address and communicates as per the norm.

    In the capture I can see it make the connection and as per the norm of the TNS protocol, where the translated server receives the TNS connection with the "ping" option, and then replies to the foreign server with a "refuse" but stating it is a TNS listener (this is normal).

    In the next step, the translated machine then receives a real "connect" (to database) request. The translated server replies and says to "redirect" it using the public IP it has in its configuration and not the translated IP address. The foreign server then attempts to respond back to this IP, but since it is a public range, it routes out to the internet and thusly into oblivion.


    Are you saying that you're seeing the actual IP address of 167.75.1.1 reaching back on the client running sqlplus 10.100.1.1?

    If you're running wireshark on the server 167.75.1.1, then ofcourse, all responds will be from 167.75.1.1. It is the job of the firewall to translate it back to 10.250.40.1

    I am also puzzled by this as well: TNS connection with the "ping" option, and then replies to the foreign server with a "refuse". What do you exactly mean by this?

Similar Threads

  1. R77.30 with JHFA 216 and Oracle SQLnet 12c - Full circle
    By cciesec2006 in forum Miscellaneous
    Replies: 11
    Last Post: 2017-02-28, 10:39
  2. More SQLNet through FW1
    By ccie15672 in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 1
    Last Post: 2011-06-30, 14:50
  3. SQLNET through FW1
    By tdgast in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 16
    Last Post: 2011-04-08, 15:29
  4. SQLnet aware firewalls
    By liamwalk in forum Miscellaneous
    Replies: 2
    Last Post: 2008-12-16, 14:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •