Cisco ASA firewall: SQLnet inspection: buffer limit

The SQL*Net protocol consists of different packet types that the security appliance handles to make the data
stream appear consistent to the Oracle applications on either side of the security appliance.
The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this
value does not agree with IANA port assignments for Structured Query Language (SQL). Use the class−map
command to apply SQL*Net inspection to a range of port numbers.
The security appliance NATs all addresses and looks in the packets for all embedded ports to open for
SQL*Net Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets with
a zero data length will be fixed up.
The packets that need fix−up contain embedded host/port addresses in the following format:
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for
addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and addresses
to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload. When the
Redirect message with data length zero passes through the security appliance, a flag will be set in the
Re: [fw−wiz] Cisco ASA firewall: SQLnet inspection: buffer limit
Re: [fw−wiz] Cisco ASA firewall: SQLnet inspection: buffer limit 1
connection data structure to expect the Data or Redirect message that follows to be NATed and ports to be
dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect message,
the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be
NATed and port connections will be opened.
You enable the SQL*Net inspection engine as shown in the following example, which creates a class map to
match SQL*Net traffic on the default port (1521). The service policy is then applied to the outside interface.
**Here is also where you can mark the port range [port [−port] ] − meaning you can use range 1521−2000
hostname(config)# class−map sqlnet−port
hostname(config−cmap)# match port tcp eq 1521
hostname(config−cmap)# exit
hostname(config)# policy−map sqlnet_policy
hostname(config−pmap)# class sqlnet−port
hostname(config−pmap−c)# inspect sqlnet
hostname(config−pmap−c)# exit
hostname(config)# service−policy sqlnet_policy interface outside
To enable SQL*Net inspection for all interfaces, use the global parameter in place of interface outside.


1 Response to "Cisco ASA firewall: SQLnet inspection: buffer limit"

Syed Balal Rumy said... December 5, 2011 at 8:45 PM

Thanks for valuable information.

For more information on ASA ,please visit

Post a Comment