03-21-2012 04:07 PM - edited 03-11-2019 03:45 PM
We have a customized program using Sun RPC. The server is located on lower security interface, client on higher security interface (sorry, have to do this)
If we give IP any any rules on lower security interface, by examine all relative packets by wireshark, this program seems do all normal Sun RPC activities: client use a ephemeral port call server's 111 port, get portmap, end TCP session. Then client start a new TCP session and talk to server using this negotiated ports.
However, if we remove the ip any any rules on lower security interface (server side), we can only observe the port negotiation TCP session. The firewall seems forgot the negotiated ports and blocks all server to client (low to high) packets.
When we test this for NFS which is also using Sun RPC protocol, with the same interfaces and settings (client interface(security level 100) - ip any any, server interface (security level 0) - deny all), everything works fine. All packets pass the firewall and connection is stateful. All works good.
I don't really understand why this is happening, since all connection initialized by client side (higher security level) using only TCP, every thing should pass through and stateful.
The ONLY ABNOMORMAL thing about our customized program is: it using random port from 600-1000 as source negotiate port to talk to server ephemeral ports (32000-61000) for transfering data. And, the connection is through VPN. (there is no special rules or inspections used for VPN connection, without deny all on server side (low security interface), every thing works fine)
Is Cisco ASA 5510 doesn't support our Sun RPC application or is there anything I did is wrong?
Thanks for any help!
03-21-2012 04:42 PM
Just find out: It is because of VPN. VPN will not automatical allow TCP packets coming back. Is there any solution for that? Or any options I can tune wiht VPN settings?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide