Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
0
Helpful
2
Replies

Does ASA support NFS version 4? If so, in what version?

david.tran
Level 4
Level 4

‎05-26-2013 07:21 PM - edited ‎03-11-2019 06:49 PM

I don't have an ASA to test but I have Cisco Pix version 8.0.4 to test; however,

it is not the same thing so I have to ask:

- Linux NFS client on the outside interface with ip address of 192.168.1.1.

Default gateway for linux NFS client is the pix outside interface which is 192.168.1.254

- Linux NFS server on the inside interface with ip address of 192.168.2.1.

Default gateway for linux NFS server is the pix inside interface which is 192.168.2.254

- Pix is operating in routed mode, NO NAT (i.e. no nat-control),

access-list outside permit icmp any any log

access-list outside permit tcp any host 192.168.2.1 eq 2049 log

access-list outside permit udp any host 192.168.2.1 eq 2049 log

access-list outside deny ip any host 192.168.2.1 log

access-list outside permit ip any any log

access-list inside deny ip any host 192.168.1.1 log

access-list inside permit ip any any log

access-group outside in interface outside

access-group inside in interface inside

inspect sunrpc

When I tried to mount NFS from the the NFS client to NFS server using NFS version 4, I see this

in the log:

CiscoPix# sh log | i den

%PIX-6-106100: access-list inside denied tcp inside/192.168.2.1(974) -> outside/192.168.1.1(36613) hit-cnt 1 first hit [0xb312a524, 0x0]

CiscoPix#

So the NFS mount is NOT working.

Does ASA support NFS mount version 4?  If so, in what version of ASA?

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-26-2013 11:44 PM

Hello David,

I got to admit, I have 0 experience with the Network File System utility but what I can tell is the following,

From outside to inside you are allowing traffic to the port tcp/udp 2049 to the server,

The drop being shown is the following:

tcp inside/192.168.2.1(974) -> outside/192.168.1.1(36613)

The port is 974, different than the one permitted so the stateful inspection will not be triggered and you are denying any traffic to the client from the inside unless this is a reply to an existing connection,

Modify the inside ACL and let me know,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

david.tran
Level 4
Level 4
In response to Julio Carvajal

‎05-27-2013 09:26 AM 

jcarvaja wrote:
Hello David,
I got to admit, I have 0 experience with the Network File System utility but what I can tell is the following,
The port is 974, different than the one permitted so the stateful inspection will not be triggered and you are denying any traffic to the client from the inside unless this is a reply to an existing connection,

This a reply to an existing connection.  That's what "inspect sunrpc" is supposed to do.  By the way, NFS version 3 works fine so I am inclined to think that version 8.0(4) does NOT support NFS version 4 but I can not test with the latest code because I don't have an ASA to test.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card