Sql*net inspection – Cisco ASA 5505 User Manual

45-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 45 Configuring Inspection of Database and Directory Protocols

SQL*Net Inspection

During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful
BIND RESPONSE from the server is received, other operational messages may be exchanged (such as
ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST
and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP
and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X
provides ILS support.

The ILS inspection performs the following operations:

•

Decodes the LDAP REQUEST/RESPONSE PDUs using the BER decode functions

•

Parses the LDAP packet

•

Extracts IP addresses

•

Translates IP addresses as necessary

•

Encodes the PDU with translated addresses using BER encode functions

•

Copies the newly encoded PDU back to the TCP packet

•

Performs incremental TCP checksum and sequence number adjustment

ILS inspection has the following limitations:

•

Referral requests and responses are not supported

•

Users in multiple directories are not unified

•

Single users having multiple identities in multiple directories cannot be recognized by NAT

Note

Because H225 call signalling traffic only occurs on the secondary UDP channel, the TCP connection is
disconnected after the interval specified by the TCP timeout command. By default, this interval is set at
60 minutes.

SQL*Net Inspection

SQL*Net inspection is enabled by default.

The SQL*Net protocol consists of different packet types that the ASA handles to make the data stream
appear consistent to the Oracle applications on either side of the ASA.

The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but
this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the
class-map command to apply SQL*Net inspection to a range of port numbers.

Note

Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP
port 1521. The security appliance acts as a proxy when SQL*Net inspection is enabled and reduces the
client window size from 65000 to about 16000 causing data transfer issues.

The ASA translates all addresses and looks in the packets for all embedded ports to open for SQL*Net
Version 1.

For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets
with a zero data length will be fixed up.

The packets that need fix-up contain embedded host/port addresses in the following format:

(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))