07-29-2007 04:51 PM - edited 03-11-2019 03:51 AM
Hi,
I have a requirement to get Sun RPC through a Pix i have running version 6.3(3).
Is this possible without having to open up a high ports range of ports ?
is there a Fixup command (i cant seem to find one) ?
Any help would be great
Thanks
07-30-2007 12:50 AM
Hi Stuart
The good news is that there is a fixup command for Sun RPC - see attached link
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1064030
the bad news is that i experimented with this a while back and could never quite get it to work properly.
Mind you that could just be me so your experience might differ :)
HTH
Jon
07-30-2007 11:51 AM
Jon,
Thanks for the link, there maybe hope...
The host i have initiating the RPC is on a lower security interface to the destination hosts so this appears ok as per the example.
So there is no specific fixup command as such, as i didnt see one listed like on the ohter protocols, is this because it cannot be modified in terms of the port it is always UDP 111 ?
I am slightly confused by the example, if the RPC replies are monitired why was there a need to enter the
access-list acl_out permit udp host 209.165.201.2 host 209.165.201.11 eq 2049
command, shouldnt this of been opened up dynamically by the Pix ?
Thanks
Stu
07-30-2007 12:13 PM
Stu
This brings back painful memories :).
In answer to your first question yes i believe it only allows RPC on port 111 which is fine for some versions of unix and not for others eg. Solaris runs rpcinfo and that does not run on port 111.
I am also confused by the example of NFS. I agree with what you say in that i thought the whole point of reading the RPC reply was to dynamically find the ports and open them.
I can see a bit more experimentation coming on. As i say i really didn't find it that reliable.
Could you elaborate on what you are trying to achieve as there may be a better way to do it.
Jon
07-31-2007 02:20 PM
Jon,
Not sure about what the server guys are doing but they have a mainframe trying to talk to an ACLS server, and i have been told it will use RPC as part of this.
Thanks
Stu
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: