12-18-2002 09:10 AM - edited 02-20-2020 10:26 PM
I have problems to get nfs ( special mountd ) through a PIX. The nfs host is in a test segment which is separated from our intranet with a PIX. Our default policy is to disallow anything, except of some protocolls (ports) to defined hosts (this is true for any direction).
Now I got a problem with nfs setup. I know I need rules for nfs (tcp /udp 2049) and for portmapper (tcp/udp sunrpc/111) and for mountd and statd. Problem with mountd and statd is, that they do not have fixed port numbers. How can I configure this? I thought the PIX inspects the portmapper traffic and helps me to define dynamic rules for the needed ports, but this seems to be wrong.
´
Any idea what I can do ? I hate the idea to open the firewall for large port ranges.
Regards Peter
12-18-2002 09:51 AM
Hi,
I have no experience with NFS, but the pix only inspects port negatiations for the following protocols (the "fixup" command is used for this):
fixup protocol ftp [strict] [port]
fixup protocol http [port[-port]
fixup protocol h323 {h225 | ras} port [-port]
fixup protocol ils [port[-port]]
fixup protocol rsh [514]
fixup protocol rtsp [port]
fixup protocol sip [5060]
fixup protocol skinny [2000]
fixup protocol smtp [port[-port]]
fixup protocol sqlnet [port[-port]]
fixup protocol skinny port [-port]
Kind Regards,
Tom
12-19-2002 12:02 AM
Yes, I also noticed this , but I was puzzeled from following line (out of write t):
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
So there is a timeout value for rpc. If the PIX does not notice the rpc protocoll, why is there a timeout ?
Out of the command reference for timeout:
... The timeout command sets the idle time for connection, translation UDP, RPC,...
So RPC is known.
If you check out the global command:
...PAT works with DNS, FTP, ..., RPC, rshell,...
So why is RPC mentioned ? I can not believe that only a simple connection to portmapper is the meaning of RPC.
Maybe somebody from CISCO can answer this question ?
Regards Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide