Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6687
Views
0
Helpful
2
Replies

Can I disable "inspect sqlnet?"

Go to solution
epatrickwhite
Level 1
Level 1

‎10-14-2013 05:38 PM - edited ‎03-11-2019 07:52 PM

In a recent Cisco Security Advisory (Advisory ID: cisco-sa-20131009-asa) there is a "SQL*Net Inspection Engine Denial of Service Vulnerability" identified.  I plan to follow the upgrade process to resolve this, however, I will not be able to perform the upgrade for a couple of weeks.

The temporary work around suggested is to disable SQL*Net inspection:

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect sqlnet

This seems simple enough, but I am banging my head on the desk trying to figure out how this will affect any database traffic that may be going through these interfaces.  If the default sqlnet inspection is disabled does that mean I need to add explicit ACL entries per interface to allow that traffic?  I've reviewwed the information from this thread: https://supportforums.cisco.com/thread/2005571

I know there are SQL and Oracle databases on this particular segment, but what confuses me is that there are no rules configured to NAT anything right now.  Is there some sort of way to see if any traffic even matches that default inspection so I know whether it's doing anything right now?

I seem to be overthinking this because I keep going in circles with my own reasoning.  I'm not sure what config information to include with my question.  I can tell you that there are many interfaces in use.  There is no NAT.  There are mulitple security levels. 

Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Moubarak
Level 4
Level 4

‎10-15-2013 09:01 AM

you can check the number of packets (if any) that matched that inspection:

show service-policy

Patrick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Patrick Moubarak
Level 4
Level 4

‎10-15-2013 09:01 AM

you can check the number of packets (if any) that matched that inspection:

show service-policy

Patrick

0 Helpful

Go to solution
epatrickwhite
Level 1
Level 1
In response to Patrick Moubarak

‎10-15-2013 11:52 AM

Patrick,

Thank you!  This was exactly what I was asking for.  In my post I asked the question "Is there some sort of way to see if any traffic even matches that default inspection." 

That is all I needed.  I don't know why I couldn't find how to show this information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card