topic Re: Cisco ASA sqlnet inspection in Network Security

Cisco ASA sqlnet inspection

rouzbehta — Thu, 16 Nov 2023 00:25:31 GMT

Hello,

I have bypassed the sqlnet inspection, in packet-tracer phase 3, it shows that it is bypassed:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 3794 ns
Config:
class-map oracle-tcp-bypass
match access-list oracle-tcp-bypass
policy-map global_policy
class oracle-tcp-bypass
set connection advanced-options tcp-state-bypass
service-policy global_policy global

however, in phase 6, it says the packet is inspected:

Phase: 6
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Elapsed time: 14826 ns
Config:
class-map SQLNET-INSPECTION
match access-list SQLNET-INSPECTION
policy-map global_policy
class SQLNET-INSPECTION
inspect sqlnet
service-policy global_policy global

My question is, is the packet really being bypassed or inspected for sqlnet?

Cheers,

-Rouzbeh
Additional Information:

Re: Cisco ASA sqlnet inspection

MHM Cisco World — Thu, 16 Nov 2023 00:32:15 GMT

I dont think so

Check this link for bypass inspect

https://community.cisco.com/t5/security-knowledge-base/how-to-bypass-an-application-inspection-using-modular-policy/ta-p/3109176

Re: Cisco ASA sqlnet inspection

tvotna — Thu, 16 Nov 2023 15:27:02 GMT

The packet won't be inspected. Packet-tracer is unwise sometimes. But why do you need tcp-state-bypass if you already have class-map defined for sqlnet where you can disable and enable inspection selectively? Deny in the corresponding ACL would mean "don't inspect" and permit would mean "inspect".

Re: Cisco ASA sqlnet inspection

rouzbehta — Thu, 16 Nov 2023 16:54:59 GMT

thank you!

Re: Cisco ASA sqlnet inspection

MHM Cisco World — Sun, 19 Nov 2023 20:43:06 GMT

Show service policy

This command can give you short view about if packet drop in policy or not.