We have a customized program using Sun RPC. The server is located on lower security interface, client on higher security interface (sorry, have to do this)

If we give IP any any rules on lower security interface, by examine all relative packets by wireshark, this program seems do all normal Sun RPC activities: client use a ephemeral port call server's 111 port, get portmap, end TCP session. Then client start a new TCP session and talk to server using this negotiated ports.

However, if we remove the ip any any rules on lower security interface (server side), we can only observe the port negotiation TCP session. The firewall seems forgot the negotiated ports and blocks all server to client (low to high) packets.

When we test this for NFS which is also using Sun RPC protocol, with the same interfaces and settings (client interface(security level 100) - ip any any, server interface (security level 0) - deny all), everything works fine. All packets pass the firewall and connection is stateful. All works good.

I don't really understand why this is happening, since all connection initialized by client side (higher security level) using only TCP, every thing should pass through and stateful.

The ONLY ABNOMORMAL thing about our customized program is: it using random port from 600-1000 as source negotiate port to talk to server ephemeral ports (32000-61000) for transfering data. And, the connection is through VPN. (there is no special rules or inspections used for VPN connection, without deny all on server side (low security interface), every thing works fine)

Is Cisco ASA 5510 doesn't support our Sun RPC application or is there anything I did is wrong?

Thanks for any help!