Cisco ASA 5505 Configuration Manual page 892

SQL*Net Inspection
During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful
BIND RESPONSE from the server is received, other operational messages may be exchanged (such as
ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST
and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP
and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X
provides ILS support.
The ILS inspection performs the following operations:
•
•
•
•
•
•
•
ILS inspection has the following limitations:
•
•
•
Because H.225 call signalling traffic only occurs on the secondary UDP channel, the TCP connection is
Note
disconnected after the interval specified by the TCP option in the Configuration > Firewall > Advanced
> Global Timeouts pane. By default, this interval is set at 60 minutes.
SQL*Net Inspection
SQL*Net inspection is enabled by default.
The SQL*Net protocol consists of different packet types that the adaptive security appliance handles to
make the data stream appear consistent to the Oracle applications on either side of the adaptive security
appliance.
The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but
this value does not agree with IANA port assignments for Structured Query Language (SQL).
Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP
Note
port 1521. The security appliance acts as a proxy when SQL*Net inspection is enabled and reduces the
client window size from 65000 to about 16000 causing data transfer issues.
The adaptive security appliance translates all addresses and looks in the packets for all embedded ports
to open for SQL*Net Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets
with a zero data length will be fixed up.
The packets that need fix-up contain embedded host/port addresses in the following format:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))
Cisco ASA 5500 Series Configuration Guide using ASDM
39-2
Decodes the LDAP REQUEST/RESPONSE PDUs using the BER decode functions
Parses the LDAP packet
Extracts IP addresses
Translates IP addresses as necessary
Encodes the PDU with translated addresses using BER encode functions
Copies the newly encoded PDU back to the TCP packet
Performs incremental TCP checksum and sequence number adjustment
Referral requests and responses are not supported
Users in multiple directories are not unified
Single users having multiple identities in multiple directories cannot be recognized by NAT
Chapter 39 Configuring Inspection of Database and Directory Protocols
OL-20339-01