“Hi .., Allowing all ports over 1024 is not a good way. As you have described. SQL*NET opens dynamic ports so it is not nice to open high ports (>1024) The way SQL*NET is written is very familiar to FTP and it is not packet filter (ACL) friendly. You need a special handler for this protocol. I didn’t have to use the following in production but let me know if this works for you: You can use “class-map” command to use sqlnet inspections on a range of port numbers. The good news is that ASA has one. If you have the SQL*Net (formerly OraServ) protocol passing through your ASA system, then only an inbound data connection is permitted through the adaptive security appliance. Cisco ASA supports both versions 1 and 2 of Oracle SQL*NET. ASA is able to perform NAT and look in the packets for all embedded ports to allow the necessary communication for SQL*Net. To enable SQL*Net inspection, use the “inspect sqlnet” command (In the past this command was known as “fixup protocol sqlnet”). The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the class-map command to apply SQL*Net inspection to a range of port numbers. SQL*Net inspection is enabled by default on ASA. To enable the SQL*Net inspection engine check the following example, which creates a class map to match SQL*Net traffic on the default port (1521). The service policy is then applied to the outside interface. hostname(config)# class-map sqlnet-port hostname(config-cmap)# match port tcp eq 1521 hostname(config-cmap)# exit hostname(config)# policy-map sqlnet_policy hostname(config-pmap)# class sqlnet-port hostname(config-pmap-c)# inspect sqlnet hostname(config-pmap-c)# exit hostname(config)# service-policy sqlnet_policy interface outside To enable SQL*Net inspection for all interfaces, use the global parameter in place of interface outside. Generic usage is as follows: …. access-list 100 extended permit tcp host 192.168.1.1 host 172.16.1.1 eq sqlnet …… class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect sqlnet ! service-policy global_policy global This is supposed to work but I personally do not like any dynamic port mapping protocols, starting with RPC, all of them are firewall headaches and vulnerability points ; http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0e8.html#wp1667425 I hope this helps, Regards, - yinal”
Sunday, August 26, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment