Sql*Net Inspection Engine - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Detailed Information About Inspection Engines
•
•
•
•
SQL*Net Inspection Engine
Enabled by default for TCP port 1521
The SQL*Net protocol consists of different packet types that the FWSM handles to make the data stream
appear consistent with the Oracle applications on either side of the FWSM.
To configure the SQL*Net inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol sqlnet [ port [- port ]]
The default port is 1521 (TCP).
The FWSM NATs all addresses and looks in the packets for all embedded ports to open for SQL*Net
Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets
with a zero data length are fixed up.
The packets that need inspection engine contain embedded host/port addresses in the following format:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) are not scanned
for addresses to NAT, nor does the inspection engine open dynamic connections for any embedded ports
in the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets are scanned for ports to open and addresses
to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload. When the
Redirect message with data length zero passes through the FWSM, a flag is set in the connection data
t ructure to expect the Data or Redirect message that follows is NATed and ports are dynamically
s
opened. If one of the TNS frames in the preceding paragraph arrives after the Redirect message, the flag
is reset.
The SQL*Net inspection engine recalculates the checksum, change IP, TCP lengths, and readjusts
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old
message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets are scanned for ports and addresses. Addresses are NATed
and port connections are opened.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
13-20
Unexpected transition by the SMTP server.
For unknown commands, the FWSM changes all the characters in the packet to X. In this case, the
server will generate an error code to the client. Because of the change in the packet, the TCP
checksum has to be recalculated.
TCP stream editing.
Command pipelining.
Chapter 13
Configuring Application Protocol Inspection
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
