PIX 7.0 inspect

Unanswered Question
May 3rd, 2007
User Badges:

As you are all aware, by default the 'inspect sqlnet' feature is switched on under the global policy map on PIX v7 firewalls.

I would like to keep the 'inspect sqlnet' feature on at the global policy level, but turn it off for traffic travelling between a specific source/destination network using access lists.

Is this possible? If so, could someone please provide some guidance on how to do this?

Many Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vijayasankar Thu, 05/03/2007 - 22:00
User Badges:
  • Silver, 250 points or more


You can achieve that by configuring a layer3/4 policy and bind it to an interface.

Policy binded to the interface will take precedence than the gloabal default inspection policy.

Have a look at this URL for more details.


For example: You can configure as follows

Define a acl, to exclude the traffic between source and destination network and then permit everything else.

Create class map and match this ACL in it.

Create a policy-map, call this class-map and perform inpsect sqlnet for the matching traffic in the class-map.

Bind this policy-map to the appropriate interface.

Sample configuration


access-list sqlnettraffic deny ip

access-list sqlnettraffic permit ip any any

class-map my-sqlnet-traffic

match access-list sqlnettraffic

policy-map my-sqlnet-policy

class my-sqlnet-traffic

inspect sqlnet

service-policy my-sqlnet-policy interface outside

This should help to acheive what you are looking.

Hope this helps.


amcneish Fri, 05/11/2007 - 13:40
User Badges:

Just a follow on question.. what would be the difference if once just modified the SQL behaviour in the global policy instead .. with access lists.. etc

vijayasankar Fri, 05/11/2007 - 20:56
User Badges:
  • Silver, 250 points or more


That will affect for all the SQL traffic passing through the firewall.

What is your exact requirement? Why do you want to disable the SQL inspect feature.?


amcneish Sat, 05/12/2007 - 04:30
User Badges:

I was interested in the original request to permit the remote site to perform the permit of the SQL traffic..

If one only has an outside and an inside.. then using the global should be about the same as putting it on the outside interface.. (is that correct??)

If one has many DMZ's.. then one could put it on the outside.. or possibly one of the DMZ's (is that also correct??)

We recently upgraded for Pix 525's to ASA 5540's and we are new to the policy statements and answers to the above questions would go a long way to giving us insight.




This Discussion