Managing Sun Rpc Services; Verifying And Monitoring Sun Rpc Inspection - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Sun RPC Inspection
Example 22-16
policy map that applies actions to the default traffic class:
Example 22-16 Enabling and Configuring UDP-based Sun RPC Inspection
hostname(config)# policy-map asa_global_fw_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect sunrpc
hostname(config-pmap-c)#
Managing Sun RPC Services
The FWSM maintains a Sun RPC services table to control established Sun RPC sessions. To create
entries in the Sun RPC services table, use the sunrpc-server command in global configuration mode.
You can use the sunrpc-server command to specify the timeout after which the FWSM closes a pinhole
opened by Sun RPC application inspection. For example, to create a timeout of 30 minutes for the Sun
RPC server with the IP address 192.168.100.2, enter the following command:
hostname(config)# sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003
protocol tcp 111 timeout 00:30:00
This command specifies that the pinhole that was opened by Sun RPC application inspection will be
closed after 30 minutes. In this example, the Sun RPC server is on the inside interface using TCP port
111. You can also specify UDP, a different port number, or a range of ports. To specify a range of ports,
separate the starting and ending port numbers in the range with a hyphen (for example, 111-113).
The service type identifies the mapping between a specific service type and the port number used for the
service. To determine the service type, which in this example is 100003, use the sunrpcinfo command
at the UNIX or Linux command line on the Sun RPC server machine.
To clear the Sun RPC configuration, enter the following command.
hostname(config)# clear configure sunrpc-server
This removes the configuration performed using the sunrpc-server command. The sunrpc-server
command allows pinholes to be created with a specified timeout.
To clear the active Sun RPC services, enter the following command:
hostname(config)# clear sunrpc-server active
This clears the pinholes open because Sun RPC application inspection enabled the traffic based on
service requests to the port mapper service.
Verifying and Monitoring Sun RPC Inspection
The sample output in this section is for a Sun RPC server with an IP address of 192.168.100.2 on the
inside interface and a Sun RPC client with an IP address of 209.165.201.5 on the outside interface.
To view information about the current Sun RPC connections, enter the show conn command. The
following is sample output from the show conn command:
hostname# show conn
15 in use, 21 most used
UDP out 209.165.200.5:800 in 192.168.100.2:2049 idle 0:00:04 flags -
UDP out 209.165.200.5:714 in 192.168.100.2:111 idle 0:00:04 flags -
UDP out 209.165.200.5:712 in 192.168.100.2:647 idle 0:00:05 flags -
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-102
enables Sun RPC over UDP, which you do by adding the inspect sunrpc command to a
Chapter 22
Applying Application Layer Protocol Inspection
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
