Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1456
Views
0
Helpful
4
Replies

RPC Connection tracking on PIX 6.1x

davecs
Level 1
Level 1

‎04-14-2002 05:20 PM - edited ‎02-20-2020 10:01 PM

Hi Everyone,

I have a problem that i need to solve. We have a 525 running version 6.11. We are trying to configure a very tight set of outgoing rules (incoming are tighter :)). Basically we have a NFS client on the inside interface and a NFS server on another interface (intf2). What we want todo is mount the NFS server from the client, now because we have denied everything entering the inside interface except for a few things + sunrpc it doesn't work.

I read in the 4.X doc that the PIX handles RPC transparently, but it doesn't seem to be working as well as i had hoped. Basically what i want to happen is the PIX to see the RPC query for NFS services (mountd/nfsd) and open up ports through the PIX. Now we could just manually do it, but mountd doesn't ever bind to the same port (hence RPC/portmapper).

Can anyone give me some pointers or is there a hidden fixup protocol that ive missed?

Cheers

Dave

0 Helpful
4 Replies 4

srittenberg
Level 1
Level 1

‎04-14-2002 08:40 PM

Are you permitting inbound rpc to the server IP?

0 Helpful

davecs
Level 1
Level 1
In response to srittenberg

‎04-14-2002 09:32 PM

Yes.

When I look at the firewall logs i can see the NFS client trying to connect to

the NFS server on the dynamic port, however i would have thought that the PIX would have "remembered" this RPC query and allowed the traffic through.

0 Helpful

davecs
Level 1
Level 1

‎04-14-2002 09:57 PM

Here is some more information fresh from Cisco's website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pixrn420.htm

--snip--

RPC Use

For SunRPC, PIX Firewall now dynamically listens to the incoming and outgoing portmapper or rpcbind RPC port and creates an incoming UDP or TCP connection to a specific internal host and port for the desired service. [CSCdk29475 and CSCdk25383]

To configure NFS for inbound use:

(a) Create a static to let the outside hosts access the inside server.

(b) Create a UDP conduit for the portmapper port, UDP port 111.

(c) Create a UDP conduit for the NFS port, UDP 2049.

PIX Firewall then manages the connection dynamically. Examples of the conduit statements are:

conduit permit udp host 204.31.17.1 eq 111 any

conduit permit udp host 204.31.17.1 eq 2049 any

Notes:

A conduit for portmapper is necessary for the initial port discovery message to come to the internal network.

A conduit for NFS 2049 port is necessary because NFS over UDP does not generate a "keep alive" message to keep the PIX Firewall from cleaning idle UDP connection.

All dynamically negotiated ports will allow the specific outside host to connect back to only the specific port allowed by the internal portmapper.

Microsoft's MSRPC uses TCP port 135 and requires high ports 1024-65535 to be open. Examples of the conduit statements are:

conduit permit tcp host 204.31.17.1 eq 135 any

conduit permit tcp host 204.31.17.1 range 1024 65535 any

On SunRPC, you can test for RPC traffic with the UNIX rpcinfo -u command.

While there is not a fixup command for SunRPC, PIX Firewall handles it transparently.

But it doesn't work, and im using access-lists ???

Dave

0 Helpful

davecs
Level 1
Level 1

‎04-16-2002 06:41 PM

Do any of the Cisco bods know?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card