Cisco Systems ASA 5585-X Manual De Usuario
12-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 12 Configuring Inspection of Database and Directory Protocols
SQL*Net Inspection
During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful
BIND RESPONSE from the server is received, other operational messages may be exchanged (such as
ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST
and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP
and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X
provides ILS support.
BIND RESPONSE from the server is received, other operational messages may be exchanged (such as
ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST
and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP
and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X
provides ILS support.
The ILS inspection performs the following operations:
•
Decodes the LDAP REQUEST/RESPONSE PDUs using the BER decode functions
•
Parses the LDAP packet
•
Extracts IP addresses
•
Translates IP addresses as necessary
•
Encodes the PDU with translated addresses using BER encode functions
•
Copies the newly encoded PDU back to the TCP packet
•
Performs incremental TCP checksum and sequence number adjustment
ILS inspection has the following limitations:
•
Referral requests and responses are not supported
•
Users in multiple directories are not unified
•
Single users having multiple identities in multiple directories cannot be recognized by NAT
Note
Because H225 call signalling traffic only occurs on the secondary UDP channel, the TCP connection is
disconnected after the interval specified by the TCP timeout command. By default, this interval is set at
60 minutes.
disconnected after the interval specified by the TCP timeout command. By default, this interval is set at
60 minutes.
SQL*Net Inspection
SQL*Net inspection is enabled by default.
The SQL*Net protocol consists of different packet types that the ASA handles to make the data stream
appear consistent to the Oracle applications on either side of the ASA.
appear consistent to the Oracle applications on either side of the ASA.
The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but
this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the
class-map command to apply SQL*Net inspection to a range of port numbers.
this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the
class-map command to apply SQL*Net inspection to a range of port numbers.
Note
Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP
port 1521. The security appliance acts as a proxy when SQL*Net inspection is enabled and reduces the
client window size from 65000 to about 16000 causing data transfer issues.
port 1521. The security appliance acts as a proxy when SQL*Net inspection is enabled and reduces the
client window size from 65000 to about 16000 causing data transfer issues.
The ASA translates all addresses and looks in the packets for all embedded ports to open for SQL*Net
Version 1.
Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets
with a zero data length will be fixed up.
with a zero data length will be fixed up.
The packets that need fix-up contain embedded host/port addresses in the following format:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))