Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
4
Replies

PIX 7.0 inspect

itrequest
Level 1
Level 1

‎05-03-2007 04:07 AM - edited ‎03-11-2019 03:08 AM

As you are all aware, by default the 'inspect sqlnet' feature is switched on under the global policy map on PIX v7 firewalls.

I would like to keep the 'inspect sqlnet' feature on at the global policy level, but turn it off for traffic travelling between a specific source/destination network using access lists.

Is this possible? If so, could someone please provide some guidance on how to do this?

Many Thanks

Labels:
0 Helpful
4 Replies 4

vijayasankar
Level 4
Level 4

‎05-03-2007 10:00 PM

Hi,

You can achieve that by configuring a layer3/4 policy and bind it to an interface.

Policy binded to the interface will take precedence than the gloabal default inspection policy.

Have a look at this URL for more details.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063706a.html

For example: You can configure as follows

Define a acl, to exclude the traffic between source and destination network and then permit everything else.

Create class map and match this ACL in it.

Create a policy-map, call this class-map and perform inpsect sqlnet for the matching traffic in the class-map.

Bind this policy-map to the appropriate interface.

Sample configuration

*********************

access-list sqlnettraffic deny ip

access-list sqlnettraffic permit ip any any

class-map my-sqlnet-traffic

match access-list sqlnettraffic

policy-map my-sqlnet-policy

class my-sqlnet-traffic

inspect sqlnet

service-policy my-sqlnet-policy interface outside

This should help to acheive what you are looking.

Hope this helps.

-VJ

0 Helpful

amcneish
Level 1
Level 1
In response to vijayasankar

‎05-11-2007 01:40 PM

Just a follow on question.. what would be the difference if once just modified the SQL behaviour in the global policy instead .. with access lists.. etc

0 Helpful

vijayasankar
Level 4
Level 4
In response to amcneish

‎05-11-2007 08:56 PM

Hi,

That will affect for all the SQL traffic passing through the firewall.

What is your exact requirement? Why do you want to disable the SQL inspect feature.?

-VJ

0 Helpful

amcneish
Level 1
Level 1
In response to vijayasankar

‎05-12-2007 04:30 AM

I was interested in the original request to permit the remote site to perform the permit of the SQL traffic..

If one only has an outside and an inside.. then using the global should be about the same as putting it on the outside interface.. (is that correct??)

If one has many DMZ's.. then one could put it on the outside.. or possibly one of the DMZ's (is that also correct??)

We recently upgraded for Pix 525's to ASA 5540's and we are new to the policy statements and answers to the above questions would go a long way to giving us insight.

Thanks

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card