Advantage/disavantage of disabling "no inspect sqlnet"

Similar Messages

• Can I disable "inspect sqlnet?"

  In a recent Cisco Security Advisory (Advisory ID: cisco-sa-20131009-asa) there is a "SQL*Net Inspection Engine Denial of Service Vulnerability" identified.  I plan to follow the upgrade process to resolve this, however, I will not be able to perform the upgrade for a couple of weeks.
  The temporary work around suggested is to disable SQL*Net inspection:
  ciscoasa(config)# policy-map global_policy
  ciscoasa(config-pmap)# class inspection_default
  ciscoasa(config-pmap-c)# no inspect sqlnet
  This seems simple enough, but I am banging my head on the desk trying to figure out how this will affect any database traffic that may be going through these interfaces.  If the default sqlnet inspection is disabled does that mean I need to add explicit ACL entries per interface to allow that traffic?  I've reviewwed the information from this thread: https://supportforums.cisco.com/thread/2005571
  I know there are SQL and Oracle databases on this particular segment, but what confuses me is that there are no rules configured to NAT anything right now.  Is there some sort of way to see if any traffic even matches that default inspection so I know whether it's doing anything right now?
  I seem to be overthinking this because I keep going in circles with my own reasoning.  I'm not sure what config information to include with my question.  I can tell you that there are many interfaces in use.  There is no NAT.  There are mulitple security levels. 
  Thank you in advance.

  Patrick,
  Thank you!  This was exactly what I was asking for.  In my post I asked the question "Is there some sort of way to see if any traffic even matches that default inspection." 
  That is all I needed.  I don't know why I couldn't find how to show this information.

• Disable esmtp Inspection for Specific Host

  Hello.  Is it possible to disable esmtp inspection for a specific INSIDE host with use of a policy-map?  If so, could you provide an example configuration.
   

  Yes it is possible.  You could do something like the following:
  access-list ESMTP deny ip host 1.1.1.10 any
  access-list ESMTP permit ip 1.1.1.0 255.255.255.0 any
  class-map CMAP
  match access-list ESMTP
  policy-map PMAP
  class CMAP
  inspect esmtp
  service-policy PMAP interface inside
  Please remember to select a correct answer and rate helpful posts

• Disable http inspection in global_policy FWSM

  I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
  Looking into the config on the FWSM i see that under the global_policy we are inspecting http
  policy-map global_policy
   class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect http
  I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
  Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
  I don't really understand what the inspection engine does?

  Well,
  I removed the http inspection and it broke all inbound and outbound web services!
  Then I discover this
  url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
  filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
  This web-sense server is down and no longer used.
  But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
  I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
  Thanks
  Roger

• Should I disable ESMTP inspect engine on the ASA??

  Hello all,
  I read a lot of blog that recomend disable the ESMTP inspect engine because in the mostly time affects email comunication servers between networks.
  It is a good pratice ??
  Thank you  !!!!!

  Hi Konsu,
  You will find your answer here:
  https://supportforums.cisco.com/message/3110997#3110997
  Hope that helps.
  Varun

• How to disable UDP inspection

  Hello, I am doing a pre-deployment testing for our new ASA. We are using VeEX tester to generate 10G traffic. Unfortunately, this tester does not have layer 4 traffic support for 10G, all of UDP header, etc. belong to DATA and only can fill 16 bytes pattern (repeat one pattern to fill). This causes ASA to reject package with invalid udp length or invalid UDP port etc. Is any CLI cmd that we can use to disable this UDP checking and passing layer 3 traffic directly? We like to get base performance throughput data.
  Thanks in advance.

  Hi Gongyuan Yao,
  You maybe should move your question to the community "Security > Firewalling" since you ask for help on ASA configuration.
  Best regards
  Roger

• Command to disable packet inspection?

  cisco 2651XM
  IOS: c2600-ipbasek9-mz.124-23.bin
  I need to diable RDP packet inspection on this router but I can't find where I do that. I'm having troubele with audio on a sip line and I read here (bottom of page)
  http://forums.asterisk.org/viewtopic.php?f=1&t=76056&p=150405&hilit=one+way+audio+forward+ports#p150405
  that turning off RDP packet solved the problem. I've looked through the config and searched on google but couldn't find the asnwer. what is the command to turn off RDP packet inspection?

  Do you have a firewall in the picture because it would be the firewall like ASA performing packet inspection not the 2600 router.  Also unless I am missing something I think it is weird that RDP (Port 3389) packet inspection causing issues with your SIP line.  Unless asterik uses that port for something.  Any ways start from your firewall.  Also setup a sniffer and see what is happening to the packets.

• Potential Impact of Disabling Default HTTP Inspection Policy

  I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map.  The software for this firewall is recent 8.2(x).
  Some questions:
  1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration.  All such traffic is inspected by the appliance.  Am I correct in this understanding?
  2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
  3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting?  Would I see any noticeable impact to HTTP traffic by doing this?
  Thank you for your responses in advance.
  Jeff

  Hi,
  These are the response to your queries:-
  1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
  2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do  some extra processing.
  3) No , I think you would reduce the processing for the ASA after disabling this inspection.
  This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
  Also , check this:-
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
  Thanks and Regards,
  Vibhor Amrodia

• Disable inspection on Advanced returns

  Hi Experts
  The client that I am working with has an external WM system and the inspection is also going to be performed by the external system.
  Is it possible to disable the inspection control within the advanced returns?
  Thanks
  AshACC

  Hello,
  I've got the solution for the problem fron the SAP.
  If a content repository A2 (in transaction OAC0) is configured it's possible to store attachments to the material inspection.
  A configuration for a specific business object and/or document type is not nessessary. It works just with the content repository A2.
  Michael.
  Edited by: Michael Benner on Feb 22, 2011 4:54 PM

• ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect

  We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
  Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
  When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
  Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
  Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
  An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
  Any help to qwell my frustration on this topic would be appreciated.
  Thanks,
  -Scott

  Scott,
  If disabling the inspection of the skinny protocol is not feasible, the following
  configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
  In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
  #Define what traffic you want inspected:
  access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
  access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
  access-list skinny_acl extended permit tcp any any eq 2000
  #Create a class map to match the acl
  class-map skinny_map
  match access-list skinny_acl
  #Under the global policy, take the skinny inspection out of the
  #class inspection_default, and add it under our new class
  policy-map global_policy
  class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  class skinny_map
  inspect skinny
  service-policy global_policy global
  ###Will be inspected for skinny###
  FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
  Global policy:
  Service-policy: global_policy
  Class-map: skinny_map
  Match: access-list skinny_acl
  Access rule: permit tcp any any eq 2000
  Action:
  Input flow: inspect skinny
  FWSM(config-pmap-c)#
  ###Will not be inspected for skinny###
  FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
  Global policy:
  Service-policy: global_policy
  FWSM(config-pmap-c)#
  Regards,
  ~JG
  Please rate if helps !

• H323 inspect in a single class with match criteria

  Hi, I trying to apply this to make sure only inspect h323 traffic in a single host (that's a Video Conference host), but don't works. Only works when I applied the inspect in the inspection_default class.
  Here is the config:
  access-list 100 extended permit ip host x.x.x.x any
  access-list 100 extended permit ip any host x.x.x.x
  class-map h223_VC
  match access-list 100
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect ip-options
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect pptp
    inspect icmp
    inspect netbios
    inspect icmp error
  class h223_VC
    inspect h323 h225
  It´s possible? or is something wrong?
  Thanks a lot for your help

  Hi,
  When you have it in the global policy you only H323 H225 or you also have H323 ras?
  What do you see if you run this commands?
  packet-tracer input tcp 1025 1720
  sho service-policy flow tcp host host  eq 1720
  How do you test it?
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Inspect http issue - unable to browse secure site.

  Hi,
  Current version of the asa firewall is 7.1(2) in which when the inspect http is enabled, while opening secure site like axis bank account or any money market site either blank page display or page can not display error message appear. When i disable this command i am able to access all the secure sites properly. It looks like a bug but in the release not i am not finding any bug related to this issue. Please help me resolve this issue.
  Amit M.

  Thanks for the reply. When i disable http inspection and when i try to open login page for some of the site then this page cannot be display appear. Also i try MSS might get exceeded and found in the show asp drop tcp mss is not showing. But still i create a class for mass exceed and apply it in globle configuration but it does not work. Latter i have to disable the http inspection and it started working. Now the question is while clicking on login butten it will go from http to https page during this shifting of http to https why does it affect the connection when enable http inspection.
  Following is the show asp drop output.
  Please check
  PIXFIREWALL# sho asp drop
  Frame drop:
    Invalid IP header                                          10
    No route to host                                           13
    Reverse-path verify failed                             398846
    Flow is denied by configured rule                 107075
    Flow denied due to resource limitation          35
    Invalid SPI                                                 2
    First TCP packet not SYN                           62706
    TCP failed 3 way handshake                        1211
    TCP RST/FIN out of order                             39
    TCP packet SEQ past window                      1
    TCP invalid ACK                                          1
    TCP packet buffer full                                    209
    TCP RST/SYN in window                               14
    TCP DUP and has been ACKed                      10411
    TCP packet failed PAWS test                         10
    IPSEC tunnel is down                                     137
    IP option drop                                                551
    Expired flow                                                   26
    ICMP Inspect seq num not matched                1057
    ICMP Error Inspect different embedded conn     60
    DNS Inspect id not matched                            4674
    IPS Module requested drop                              8
    FP L2 rule drop                                               22988
    Interface is down                                             8
  Flow drop:
    Flow terminated by IPS                                     16
    NAT failed                                                       13066
    Tunnel being brought up or torn down                514
    Need to start IKE negotiation                            2136
    Inspection failure                                               60

• Sqlnet.ora trace files getting generated even after turning off tracing

  Hi,
  I have recently added the following parameters to the sqlnet.ora file.
  TRACE_LEVEL_SERVER=16
  TRACE_FILE_SERVER=SERVER
  TRACE_DIRECTORY_SERVER=/ftpland/trace
  TRACE_TIMESTAMP_SERVER=on
  Even after removing these enteries from the sqlnet.ora I still see the trave files being generated.
  #####enable tracing###################
  #Trace_level_server=0
  #Trace_filelen_server=1000
  #Trace_fileno_server=1
  #Trace_timestamp_server=on
  #Trace_directory_server=/opt/oracle/product/10.2.0/network/trace
  #Diag_adr_enabled=off
  AUTOMATIC_IPC = ON
  TRACE_LEVEL_CLIENT = OFF
  SQLNET.EXPIRE_TIME = 10
  NAMES.DEFAULT_DOMAIN = bsca.eds.com
  NAME.DEFAULT_ZONE = bsca.eds.com
  SQLNET.CRYPTO_SEED = "232166927-1713903352"
  NAMES.DIRECTORY_PATH = (ONAMES,TNSNAMES)
  NAMES.PREFERRED_SERVERS =
        (ADDRESS_LIST =
          (ADDRESS =
            (COMMUNITY = TCP.bsca.eds.com)
            (PROTOCOL = TCP)
            (Host = oraclenames1.bsca.eds.com)
            (Port = 1575)
          (ADDRESS =
            (COMMUNITY = TCP.bsca.eds.com)
            (PROTOCOL = TCP)
            (Host = oraclenames2.bsca.eds.com)
            (Port = 1575)
  NAME.PREFERRED_SERVERS =
        (ADDRESS_LIST =
          (ADDRESS =
            (COMMUNITY = TCP.bsca.eds.com)
            (PROTOCOL = TCP)
            (Host = oraclenames1.bsca.eds.com)
            (Port = 1575)
  (ADDRESS =
            (COMMUNITY = TCP.bsca.eds.com)
            (PROTOCOL = TCP)
            (Host = oraclenames2.bsca.eds.com)
            (Port = 1575)
  BEQUEATH_DETACH=YES
  Regards,
  VN

  SID_LIST_LISTENER =
    (SID_LIST =
      (SID_DESC =
        (GLOBAL_DBNAME =ROSDMP.bsca.eds.com)
        (ORACLE_HOME = /opt/oracle/product/10.2.0)
        (SID_NAME = ROSDMP)
  TRACE_LEVEL_LISTENER=16
  I believe, this is the reason, you are seeing trace files even after disabling it in sqlnet.ora

• HTTP Inspection Cisco PIX 525

  I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
  My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"
  My class-maps are: 
  class-map type regex match-any HACKBLOCK_METHOD
  match regex GET
  class-map XXXXTWBLOCK
  match access-list HACKBLOCK_HOSTS
  class-map type regex match-any HACKBLOCK_URL
  match regex HACKBLOCK
  class-map type inspect http match-all HACKBLOCK_FILTER
  match request uri regex class HACKBLOCK_URL
  class-map inspection_default
  match default-inspection-traffic
  My policy-maps are:
  policy-map type inspect http HACKBLOCK_HTTP
  parameters
  class HACKBLOCK_FILTER
    log
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect dns
    inspect h323 ras
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  policy-map OUTSIDE
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  class class-default
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 1200
  As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
  #sh service-pol inspec http
  Global policy:
    Service-policy: global_policy
      Class-map: inspection_default
      Class-map: XXXXTWBLOCK
        Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
          protocol violations
            packet 34206
          class HACKBLOCK_FILTER
            log, packet 0
  enp-amer-clt-pix525-a#
  I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
  Any idea whats going on here and why I am not macthing the HTTP uri's ????
  Thanks,
  Matthias  CCIE# 28445

  I get hits on the ACL.  The issue is that the HTTP inspection does not seem to function.  Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

• DNS Inspection Denial of Service Vulnerability

  Advisory ID: cisco-sa-20131009-asa
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
  I have a Pix running version 8.0.4 with the following configuration:
  inside interface:      192.168.231.254/255.255.255.0
  outside interface:     10.100.2.254/255.255.255.0
  no nat-control
  access-list test permit ip any any log
  access-group test in interface outside
  access-group test in interface inside
  I have a window 2008R2 residing on the Internal interface of the firewall.  The domain controller resides on the outside interface of the firewall.
  I went ahead and implement the change recommended by Cisco
  access-list DNS_INSPECT extended permit udp any any
  class-map DNS_INSPECT_CP
     match access-list  DNS_INSPECT
  policy-map global_policy
     class DNS_INSPECT_CP
       inspect dns preset_dns_map
  However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.
  on the log of the firewall I see this:
  Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
  Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
  I even change the DNS maximum length to 8192 but it still does not work. 
  I remove the recommendation from the configuration, everything works fine after that.
  Anyone knows why?
  Thanks in advance

  Julio Carvajal wrote:U do not have this command right available at the CLI rightmessage-length maximum client auto
       I do
  CiscoPix# sh run policy-map
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 1024
    message-length maximum client auto
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect sqlnet
    inspect dns preset_dns_map
  class class_sunrpc_tcp
    inspect sunrpc
  class DNS_INSPECT_CP
    inspect dns preset_dns_map
  CiscoPix#
  Julio Carvajal wrote: Then clear-local host try one more time and provide the logs.Note:access-list test permit ip any any logaccess-group test in interface outsideaccess-group test in interface insideThat ACL means u have no firewall in place
  I am very aware of this.  At this point, it does not matter, it just want the firewall to function like a routing device.
  It still does NOT work.  Here is the log:
  Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]
  Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]
  Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
  Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
  Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]