Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8838
Views
0
Helpful
1
Replies

ASA SunRPC inspection

frame6500
Level 1
Level 1

‎06-08-2010 05:02 PM - edited ‎03-11-2019 10:56 AM

I would like to understand what configuration pieces need to be in place for SunRPC inspection to work properly. I have the following scenario: NFS server is on higher security interface, and NFS clients are on lower security interface. I have default sunrpc inspection enabled on UDP port 111. Also, I added TCP port 111 inspection because I saw from capture information that SUSE system were using TCP instead of UDP for port mapper process.

class-map SUNRPC-TCP
match port tcp eq sunrpc
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
  inspect sunrpc
class SUNRPC-TCP
  inspect sunrpc
!
service-policy global_policy global

Clinets that use UDP are can mount file shares, but SUSE systems, which use TCP can not until I added the following command.

sunrpc-server High_Interface 10.1.1.1 255.255.255.255 service 100005 protocol TCP port 111 timeout 0:01:00

Inspecting global service policy counters confims that SUNRPC-TCP class-map does not register any hit counts.

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: sunrpc, packet 208, drop 0, reset-drop 0
    Class-map: SUNRPC-TCP
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0


rpcinfo command on NFS server produces the following output (I removed irrelevant program numbers for this discussions):

nbmaster ## rpcinfo -p
   program vers proto   port  service
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    3   tcp   1234  mountd
    100005    2   tcp   1234  mountd
    100005    1   tcp   1234  mountd
    100005    3   udp   1234  mountd
    100005    2   udp   1234  mountd
    100005    1   udp   1234  mountd
    100000    2   udp    111  rpcbind
    100000    2   tcp    111  rpcbind

I would appreciate if someone who really understands how sunrpc inspection works explains to me the follwoing questions:

1) What is exactly the purpose of sunrpc-server commands, and how are they different from service policy inspect commands?

2) Why my "SUNRPC-TCP" class-map does not seem to work, but "sunrpc-server" command seems to do the trick for systems that use TCP for port mapper process?

Thank you in advance,



Labels:
0 Helpful
1 Reply 1

sam mackenzie
Level 1
Level 1

‎03-07-2012 05:56 AM

Hi there, this is kind of a bump since I'm also looking at an issue with SUNRPC, which doesn't work under inspection but we have to use 1-1 NAT so suspect there's no way around this unfortunately.

Was hoping if someone who might be able to answer frame6500's questions might also be able to advise if this will ever work, and if not - why not?

I can provide specific info if required to my issue however the basic config is that two sets of servers communicate using SUNRPC and the return traffic is denied, however all we've done for configuration is to allow in the default inspection traffic SUNRPC inspection. NAT is configured also. 

Thanks,

Sam    

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card