RE: Cisco PIX firewall

  • From: "Daniel Wittry" <daniel.wittry@xxxxxxxxx>
  • To: <oracle-l@xxxxxxxxxxxxx>
  • Date: Tue, 25 Jan 2005 15:24:15 -0800

I did this before [back when memory was a problem (so we used MTS)].

Forgive me if everybody already knows this...

Anyway, port 1521 is the starting port number, the mts server processes
communicate back to the client on a redirected port.  Therefore, you
must tell your mts config (via init.ora params) which ports are allowed
to be redirected to.  For example, you have X number of concurrent
sessions and therefore you open up x+50% ports in the range of, ohhhh,
say 15500 thru 15600.  tell the firewall that A) these ports are
bi-directional and B) sql*net traffic is the protocol. I don't remember
if ports are 1-to-1 for clients, but you could look that up.

A quick test...
You can tell Oracle NOT to redirect sql*net traffic and keep everything
on port 1521.  you will quickly bottleneck the port I/O, but at least
you will get thru your firewall (assuming 1521 is open and supports

I'm not a firewall guy, I just told the sys/netAdmins to do it and they
made it happen. I did the Oracle part. By the way, 7 years ago, not all
firewalls supported sql*net traffic - ensure your specific firewall is
certified for such.



Other related posts: