Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX 7.0 inspect

As you are all aware, by default the 'inspect sqlnet' feature is switched on under the global policy map on PIX v7 firewalls.

I would like to keep the 'inspect sqlnet' feature on at the global policy level, but turn it off for traffic travelling between a specific source/destination network using access lists.

Is this possible? If so, could someone please provide some guidance on how to do this?

Many Thanks


Re: PIX 7.0 inspect


You can achieve that by configuring a layer3/4 policy and bind it to an interface.

Policy binded to the interface will take precedence than the gloabal default inspection policy.

Have a look at this URL for more details.

For example: You can configure as follows

Define a acl, to exclude the traffic between source and destination network and then permit everything else.

Create class map and match this ACL in it.

Create a policy-map, call this class-map and perform inpsect sqlnet for the matching traffic in the class-map.

Bind this policy-map to the appropriate interface.

Sample configuration


access-list sqlnettraffic deny ip

access-list sqlnettraffic permit ip any any

class-map my-sqlnet-traffic

match access-list sqlnettraffic

policy-map my-sqlnet-policy

class my-sqlnet-traffic

inspect sqlnet

service-policy my-sqlnet-policy interface outside

This should help to acheive what you are looking.

Hope this helps.


New Member

Re: PIX 7.0 inspect

Just a follow on question.. what would be the difference if once just modified the SQL behaviour in the global policy instead .. with access lists.. etc

Re: PIX 7.0 inspect


That will affect for all the SQL traffic passing through the firewall.

What is your exact requirement? Why do you want to disable the SQL inspect feature.?


New Member

Re: PIX 7.0 inspect

I was interested in the original request to permit the remote site to perform the permit of the SQL traffic..

If one only has an outside and an inside.. then using the global should be about the same as putting it on the outside interface.. (is that correct??)

If one has many DMZ's.. then one could put it on the outside.. or possibly one of the DMZ's (is that also correct??)

We recently upgraded for Pix 525's to ASA 5540's and we are new to the policy statements and answers to the above questions would go a long way to giving us insight.



CreatePlease to create content