ASA SunRPC inspection

frame6500 — Mon, 11 Mar 2019 17:56:34 GMT

I would like to understand what configuration pieces need to be in place for SunRPC inspection to work properly. I have the following scenario: NFS server is on higher security interface, and NFS clients are on lower security interface. I have default sunrpc inspection enabled on UDP port 111. Also, I added TCP port 111 inspection because I saw from capture information that SUSE system were using TCP instead of UDP for port mapper process.

class-map SUNRPC-TCP
match port tcp eq sunrpc
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect sunrpc
class SUNRPC-TCP
inspect sunrpc
!
service-policy global_policy global

Clinets that use UDP are can mount file shares, but SUSE systems, which use TCP can not until I added the following command.

sunrpc-server High_Interface 10.1.1.1 255.255.255.255 service 100005 protocol TCP port 111 timeout 0:01:00

Inspecting global service policy counters confims that SUNRPC-TCP class-map does not register any hit counts.

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sunrpc, packet 208, drop 0, reset-drop 0
    Class-map: SUNRPC-TCP
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

rpcinfo command on NFS server produces the following output (I removed irrelevant program numbers for this discussions):

nbmaster ## rpcinfo -p
   program vers proto   port service
    100003    2   udp   2049 nfs
    100003    3   udp   2049 nfs
    100003    2   tcp   2049 nfs
    100003    3   tcp   2049 nfs
    100005    3   tcp   1234 mountd
    100005    2   tcp   1234 mountd
    100005    1   tcp   1234 mountd
    100005    3   udp   1234 mountd
    100005    2   udp   1234 mountd
    100005    1   udp   1234 mountd
    100000    2   udp    111 rpcbind
    100000    2   tcp    111 rpcbind

I would appreciate if someone who really understands how sunrpc inspection works explains to me the follwoing questions:

1) What is exactly the purpose of sunrpc-server commands, and how are they different from service policy inspect commands?

2) Why my "SUNRPC-TCP" class-map does not seem to work, but "sunrpc-server" command seems to do the trick for systems that use TCP for port mapper process?

Thank you in advance,

ASA SunRPC inspection

sam mackenzie — Wed, 07 Mar 2012 13:56:47 GMT

Hi there, this is kind of a bump since I'm also looking at an issue with SUNRPC, which doesn't work under inspection but we have to use 1-1 NAT so suspect there's no way around this unfortunately.

Was hoping if someone who might be able to answer frame6500's questions might also be able to advise if this will ever work, and if not - why not?

I can provide specific info if required to my issue however the basic config is that two sets of servers communicate using SUNRPC and the return traffic is denied, however all we've done for configuration is to allow in the default inspection traffic SUNRPC inspection. NAT is configured also.

Thanks,

Sam

topic ASA SunRPC inspection in Network Security

ASA SunRPC inspection

ASA SunRPC inspection