13-20
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
• Unexpected transition by the SMTP server.
• For unknown commands, the FWSM changes all the characters in the packet to X. In this case, the
server will generate an error code to the client. Because of the change in the packet, the TCP
checksum has to be recalculated.
• TCP stream editing.
• Command pipelining.
SQL*Net Inspection Engine
Enabled by default for TCP port 1521
The SQL*Net protocol consists of different packet types that the FWSM handles to make the data stream
appear consistent with the Oracle applications on either side of the FWSM.
To configure the SQL*Net inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol sqlnet [
port
[-
port
]]
The default port is 1521 (TCP).
The FWSM NATs all addresses and looks in the packets for all embedded
ports to open for SQL*Net
Ve r si o n 1 .
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets
with a zero data length are fixed up.
The packets that need inspection engine contain embedded host/port addresses in the following format:
(ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) are not scanned
for addresses to NAT, nor does the inspection engine open dynamic
connections for any embedded ports
in the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets are scanned for ports to open and addresses
to NAT, if preceded by a REDIRECT TNSFrame type with a
zero data length for the payload. When the
Redirect message with data length
zero passes through the FWSM, a flag is set in the connection data
s
tructure to expect the Data or Redirect message that follows is NATed and ports are dynamically
opened. If one of the TNS frames in the preceding paragraph arrives after the Redirect message, the flag
is reset.
The SQL*Net inspection engine recalculates the checksum, change IP, TCP lengths, and readjusts
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old
message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets
are scanned for ports and addresses. Addresses are NATed
and port connections are opened.
To Next Page
Loading...
Need help?
General