01-24-2006 10:09 PM
Hi-
I've been trying to get my PIX handle NFS traffic btn Windows and solaris 9 machines but in vain (for 2 days now!!).
Configs:
Windows:-
Installed Windows Unix services which has NFS utilities like mount, rpcinfo, showmount which are all working fine. Windows machine on outside of firewall.
---------
Solaris:-
The rpc and nfs daemons are working fine -nfs can be accessed from another solaris machine on same side (inside) of firewall.
---------
PIX:-
Cisco PIX515E Firewall Version 6.3(3)
access-list outside_access_in permit tcp 192.168.100.0 255.255.255.0 any eq sqlnet
access-list outside_access_in permit tcp host 192.168.100.55 any eq telnet
access-list outside_access_in permit tcp host 192.168.100.55 any eq ftp
access-list outside_access_in permit tcp host 192.168.100.71 any eq ftp
mtu outside 1500
mtu inside 1500
ip address outside 192.168.100.101 255.255.255.0
ip address inside 192.168.64.3 255.255.255.224
arp timeout 14400
static (inside,outside) tcp 192.168.100.106 sqlnet 192.168.32.29 sqlnet netmask
255.255.255.255 0 0
static (inside,outside) tcp 192.168.100.107 sqlnet 192.168.32.30 sqlnet netmask
255.255.255.255 0 0
static (inside,outside) tcp 192.168.100.106 telnet 192.168.32.29 telnet netmask
255.255.255.255 0 0
static (inside,outside) tcp 192.168.100.106 ftp 192.168.32.29 ftp netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 192.168.100.107 ftp 192.168.32.30 ftp netmask 255.25
5.255.255 0 0
static (inside,outside) 192.168.100.106 192.168.32.29 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
conduit permit udp host 192.168.100.106 eq sunrpc host 192.168.100.71
conduit permit udp host 192.168.100.106 eq 2049 host 192.168.100.71
conduit permit icmp any any
conduit permit tcp host 192.168.100.106 eq 135 host 192.168.100.71
established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
route outside 0.0.0.0 0.0.0.0 192.168.100.101 1
route inside 192.168.0.0 255.255.0.0 192.168.64.3 1
---------
Tests:
From another solaris box on the inside (192.168.32.30), I run showmount -e 192.168.32.29 with success.
From windows machine on the outside, I get RPC failure.
Has anybody ever succeeded in running NFS across the PIX -much of the documentation I've come across is against this implementation.
Thanks.
Simon.
01-25-2006 12:05 AM
Hi Simon,
Never done it but I assume that NFS will require a lot more ports than the ones that you are allowing in. The fact that your inside host needs to to be wide open explains why there is so much speaking against this application.
For a start I would suggest that you allow all ip access from the outside nfs-host to the inside one:
access-list outside_access_in permit ip host 192.168.100.106 host 192.168.32.29
If that works you can start securing things up from there. Decide for yourself wheter the result is acceptable.
Regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide