Re: what is the advantage of enabling sqlnet inspection in ASA a
The fixup protocol sqlnet command causes the PIX Firewall to do the following for SQL*Net traffic on the indicated port:
Perform NAT in packet payload.
Dynamically create conduits for SQL*Net redirected connections.
Use the no form of the command to disable the inspection of traffic on the indicated port for SQL*Net connections. If the fixup protocol sqlnet command is not enabled for a given port, then the following will occur:
Outbound SQL*Net will work properly on that port as long as outbound traffic is not explicitly disallowed.
Inbound passive SQL*Net will not work properly on that port.
Using the clear fixup protocol sqlnet command without any arguments causes the PIX Firewall to clear all previous fixup protocol sqlnet assignments and set port 1521 back as the default.
SQL*Net is used to query remote SQL databases. Although the protocol was written by Oracle for Oracle databases, it works equally well to query the SQL databases of other vendors. The main issue to consider when securing SQL*Net is that while it only uses one TCP port for communications, that port can be redirected to a different port and, even more commonly, to a different secondary server altogether. When a client starts an SQL*Net connection, it opens a standard TCP channel from one of its high-order ports to port 1521 on the server. The server then proceeds to redirect the client to a different port or IP address. The client tears down the initial TCP connection and establishes the second connection using the redirected port.
While the default port inspected by the fixup protocol sqlnet command is 1521, Oracle registered TCP and UDP port 66 with IANA (Internet Assigned Numbers Authority). You may be required to add fixup protocol 66 to your configuration to support your particular implementation. Please see the following web page for details: http://www.iana.org/cgi-bin/usr-port-number.pl
For SQL*Net traffic, the PIX Firewall behaves in the following manner:
Outbound connections—If all outbound TCP traffic is implicitly allowed, no special handling is required because the client initiates all TCP connections from the inside.
If all outbound TCP traffic is not implicitly allowed, the PIX Firewall opens a conduit for the redirected channel between the server and the client.
Inbound connections—If a conduit exists allowing inbound SQL*Net connections to an SQL*Net server, the PIX Firewall opens an inbound conduit for the redirected channel.
fixup protocol sqlnet Command
The syntax of the fixup protocol sqlnet command is as follows:
fixup protocol sqlnet
port [-port ] no fixup protocol sqlnet
port [-port ] clear fixup protocol sqlnet
where port[-port] is a single port or port range that the PIX Firewall will inspect for SQL*Net connections.
By default, the PIX Firewall inspects port 1521 connections for SQL*Net traffic. If you have SQL*Net servers using ports other than port 1521, use the fixup protocol sqlnet command as illustrated in Example 9-4 to instruct the PIX Firewall to inspect these other ports for SQL*Net traffic.
Example 9-4 Adding and Removing Standard and Non-standard Ports for SQL*NET
pixfirewall#(config) fixup protocol sqlnet 1521
pixfirewall#(config) fixup protocol sqlnet 66
pixfirewall#(config) no fixup protocol sqlnet 1521
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :