cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
0
Helpful
4
Replies

Sun RPC through Pix Ver 6.3(3)

stuart.jones
Level 1
Level 1

Hi,

I have a requirement to get Sun RPC through a Pix i have running version 6.3(3).

Is this possible without having to open up a high ports range of ports ?

is there a Fixup command (i cant seem to find one) ?

Any help would be great

Thanks

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi Stuart

The good news is that there is a fixup command for Sun RPC - see attached link

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1064030

the bad news is that i experimented with this a while back and could never quite get it to work properly.

Mind you that could just be me so your experience might differ :)

HTH

Jon

Jon,

Thanks for the link, there maybe hope...

The host i have initiating the RPC is on a lower security interface to the destination hosts so this appears ok as per the example.

So there is no specific fixup command as such, as i didnt see one listed like on the ohter protocols, is this because it cannot be modified in terms of the port it is always UDP 111 ?

I am slightly confused by the example, if the RPC replies are monitired why was there a need to enter the

access-list acl_out permit udp host 209.165.201.2 host 209.165.201.11 eq 2049

command, shouldnt this of been opened up dynamically by the Pix ?

Thanks

Stu

Stu

This brings back painful memories :).

In answer to your first question yes i believe it only allows RPC on port 111 which is fine for some versions of unix and not for others eg. Solaris runs rpcinfo and that does not run on port 111.

I am also confused by the example of NFS. I agree with what you say in that i thought the whole point of reading the RPC reply was to dynamically find the ports and open them.

I can see a bit more experimentation coming on. As i say i really didn't find it that reliable.

Could you elaborate on what you are trying to achieve as there may be a better way to do it.

Jon

Jon,

Not sure about what the server guys are doing but they have a mainframe trying to talk to an ACLS server, and i have been told it will use RPC as part of this.

Thanks

Stu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: