topic SQL Inspect Issue... in Network Security

SQL Inspect Issue...

yogesh.suryawanshi — Tue, 12 Mar 2019 00:06:24 GMT

Hi All,

we do have ASA 5510 with IOS Version 8.0(4).User from inside connects to SQL database in customer place which is at outside. Users can run smaller database queries however they can not run logners queries & get ora-03113 error on client.

we found sql inspect reset increasing by 1 when user tries to connect each time.

Do that mean we need to disable / remote sql inspect form global service policy. Following is policy config.

Need expert advise on following.

1. Do we need to remove sql inspect from service policy

2. will their be any impact while removing policy

3. Is their any way to bypass this specific flow the sql inspect (because dont know if other communications / users may need it)

4. steps to remove sql inspect

Please help..

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 632, drop 0, reset-drop 0

Inspect: ftp, packet 240935, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 1817867, drop 0, reset-drop 1796

Inspect: skinny , packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Inspect: sip , packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 285, drop 0, reset-drop 0

Inspect: tftp, packet 4894, drop 0, reset-drop 0

SQL Inspect Issue...

Harish Balakrishnan — Tue, 09 Oct 2012 05:53:40 GMT

Hello Yogesh,

Since you are seeing the reset in sqlnet everytime the issue happens, its a good try to remove the inspection for testing.

Are you doing NAT for the sql server in the ASA ? and do you have any other ASA at the other end ( then you need to remove the inspection from their end as well) make sure that you have proper permission both inbound and outbound direction for both sql server and the client

you can remove the inspection as follows

policy-map global_policy

class inspection_default

no inspect sqlnet

exi

clear local-host all

Regards

Harish.

SQL Inspect Issue...

yogesh.suryawanshi — Tue, 09 Oct 2012 06:07:13 GMT

Thanks Harish for quick response. Will their be any kind of distruption while removing sql inspect?

we are not doing natting for SQL server but yes at customer end their are some sort of nattings & multipule firewalls (juniper , asa etc). Is their any way we can simulate & know what is causing SQL inspect reset?

SQL Inspect Issue...

Harish Balakrishnan — Tue, 09 Oct 2012 06:16:59 GMT

Hello Yogesh,

It may reset the connection while removing the command but after that, there is no negetive impact.

coming back to you issue, when SQL inspection is on, ASA will reduce the client window size 65000 to about 16000 which impact the data transfer, i guess that is what you are experiancing now. Please make sure that you are disabling this in all the firewall on the patch and take care of the outside - inside communication as well ( Preferebly all UDP/TCP).

Please let me know if you have any other questions

Harish.

SQL Inspect Issue...

yogesh.suryawanshi — Tue, 09 Oct 2012 06:59:00 GMT

Thanks Harish.

Is their any way to bypass sqlinspect for particular source & destination. If Yes Kindly guide

Regards

Yogesh

SQL Inspect Issue...

Harish Balakrishnan — Tue, 09 Oct 2012 07:08:17 GMT

Hello Yogesh,

That can be done as follows

access-list acl_sql_inspect deny tcp any

access-list acl_sql_inspect permit tcp any any

class-map inspect_sql

match access-list acl_sql_inspect

policy-map global_policy

class inspection_default

no inspect sqlnet

class-map inspect_sql

inspect sqlnet

service-policy global_policy global

so it will only bypass the inspection for your prefered traffic defined in the acl

Harish.