cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
1
Replies

NFS across PIX firewall

cswaibale
Level 1
Level 1

Hi-

I've been trying to get my PIX handle NFS traffic btn Windows and solaris 9 machines but in vain (for 2 days now!!).

Configs:

Windows:-

Installed Windows Unix services which has NFS utilities like mount, rpcinfo, showmount which are all working fine. Windows machine on outside of firewall.

---------

Solaris:-

The rpc and nfs daemons are working fine -nfs can be accessed from another solaris machine on same side (inside) of firewall.

---------

PIX:-

Cisco PIX515E Firewall Version 6.3(3)

access-list outside_access_in permit tcp 192.168.100.0 255.255.255.0 any eq sqlnet

access-list outside_access_in permit tcp host 192.168.100.55 any eq telnet

access-list outside_access_in permit tcp host 192.168.100.55 any eq ftp

access-list outside_access_in permit tcp host 192.168.100.71 any eq ftp

mtu outside 1500

mtu inside 1500

ip address outside 192.168.100.101 255.255.255.0

ip address inside 192.168.64.3 255.255.255.224

arp timeout 14400

static (inside,outside) tcp 192.168.100.106 sqlnet 192.168.32.29 sqlnet netmask

255.255.255.255 0 0

static (inside,outside) tcp 192.168.100.107 sqlnet 192.168.32.30 sqlnet netmask

255.255.255.255 0 0

static (inside,outside) tcp 192.168.100.106 telnet 192.168.32.29 telnet netmask

255.255.255.255 0 0

static (inside,outside) tcp 192.168.100.106 ftp 192.168.32.29 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) tcp 192.168.100.107 ftp 192.168.32.30 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) 192.168.100.106 192.168.32.29 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

conduit permit udp host 192.168.100.106 eq sunrpc host 192.168.100.71

conduit permit udp host 192.168.100.106 eq 2049 host 192.168.100.71

conduit permit icmp any any

conduit permit tcp host 192.168.100.106 eq 135 host 192.168.100.71

established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0

route outside 0.0.0.0 0.0.0.0 192.168.100.101 1

route inside 192.168.0.0 255.255.0.0 192.168.64.3 1

---------

Tests:

From another solaris box on the inside (192.168.32.30), I run showmount -e 192.168.32.29 with success.

From windows machine on the outside, I get RPC failure.

Has anybody ever succeeded in running NFS across the PIX -much of the documentation I've come across is against this implementation.

Thanks.

Simon.

1 Reply 1

lgijssel
Level 9
Level 9

Hi Simon,

Never done it but I assume that NFS will require a lot more ports than the ones that you are allowing in. The fact that your inside host needs to to be wide open explains why there is so much speaking against this application.

For a start I would suggest that you allow all ip access from the outside nfs-host to the inside one:

access-list outside_access_in permit ip host 192.168.100.106 host 192.168.32.29

If that works you can start securing things up from there. Decide for yourself wheter the result is acceptable.

Regards,

Leo