Sun RPC through Pix Ver 6.3(3)

Unanswered Question
Jul 29th, 2007
User Badges:

Hi,


I have a requirement to get Sun RPC through a Pix i have running version 6.3(3).


Is this possible without having to open up a high ports range of ports ?


is there a Fixup command (i cant seem to find one) ?


Any help would be great


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 07/30/2007 - 00:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Stuart


The good news is that there is a fixup command for Sun RPC - see attached link


http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1064030


the bad news is that i experimented with this a while back and could never quite get it to work properly.


Mind you that could just be me so your experience might differ :)


HTH


Jon

stuart.jones Mon, 07/30/2007 - 11:51
User Badges:

Jon,


Thanks for the link, there maybe hope...


The host i have initiating the RPC is on a lower security interface to the destination hosts so this appears ok as per the example.


So there is no specific fixup command as such, as i didnt see one listed like on the ohter protocols, is this because it cannot be modified in terms of the port it is always UDP 111 ?


I am slightly confused by the example, if the RPC replies are monitired why was there a need to enter the


access-list acl_out permit udp host 209.165.201.2 host 209.165.201.11 eq 2049


command, shouldnt this of been opened up dynamically by the Pix ?


Thanks

Stu

Jon Marshall Mon, 07/30/2007 - 12:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Stu


This brings back painful memories :).


In answer to your first question yes i believe it only allows RPC on port 111 which is fine for some versions of unix and not for others eg. Solaris runs rpcinfo and that does not run on port 111.


I am also confused by the example of NFS. I agree with what you say in that i thought the whole point of reading the RPC reply was to dynamically find the ports and open them.


I can see a bit more experimentation coming on. As i say i really didn't find it that reliable.


Could you elaborate on what you are trying to achieve as there may be a better way to do it.


Jon

stuart.jones Tue, 07/31/2007 - 14:20
User Badges:

Jon,


Not sure about what the server guys are doing but they have a mainframe trying to talk to an ACLS server, and i have been told it will use RPC as part of this.


Thanks

Stu

Actions

This Discussion