Sun Rpc Inspection Overview; Managing Sun Rpc Services - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 15
Inspection of Database, Directory, and Management Protocols
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be
translated and port connections will be opened.
For information on enabling SQL*Net inspection, see
page
Sun RPC Inspection
This section describes Sun RPC application inspection.
•
•
•
Sun RPC Inspection Overview
The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun
RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access
a Sun RPC service on a server, it must learn the port that service is running on. It does this by querying
the port mapper process, usually rpcbind, on the well-known port of 111.
The client sends the Sun RPC program number of the service and the port mapper process responds with
the port number of the service. The client sends its Sun RPC queries to the server, specifying the port
identified by the port mapper process. When the server replies, the ASA intercepts this packet and opens
both embryonic TCP and UDP connections on that port.
Sun RPC inspection is enabled by default. You simply need to manage the Sun RPC server table to
Tip
identify which services are allowed to traverse the firewall. For information on enabling Sun RPC
inspection, see
The following limitations apply to Sun RPC inspection:
•
•
Managing Sun RPC Services
Use the Sun RPC services table to control Sun RPC traffic through the ASA based on established Sun
RPC sessions. To create entries in the Sun RPC services table, use the sunrpc-server command in global
configuration mode:
hostname(config)# sunrpc-server interface_name ip_address mask service service_type
protocol {tcp | udp} port[-port] timeout hh:mm:ss
12-9.
Sun RPC Inspection Overview, page 15-19
Managing Sun RPC Services, page 15-19
Verifying and Monitoring Sun RPC Inspection, page 15-20
Configure Application Layer Protocol Inspection, page
NAT or PAT of Sun RPC payload information is not supported.
Sun RPC inspection supports inbound ACLs only. Sun RPC inspection does not support outbound
ACLs because the inspection engine uses dynamic ACLs instead of secondary connections.
Dynamic ACLs are always added on the ingress direction and not on egress; therefore, this
inspection engine does not support outbound ACLs. To view the dynamic ACLs configured for the
ASA, use the show asp table classify domain permit command.
Configure Application Layer Protocol Inspection,
12-9.
Cisco ASA Series Firewall CLI Configuration Guide
Sun RPC Inspection
15-19
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
