NFS across PIX 515E firewall

Unanswered Question
Jan 24th, 2006
User Badges:

Hi-

I've been trying to get my PIX handle NFS traffic btn Windows and solaris 9 machines but in vain (for 2 days now!!).


Configs:


Windows:-

Installed Windows Unix services which has NFS utilities like mount, rpcinfo, showmount which are all working fine. Windows machine on outside of firewall.

---------

Solaris:-

The rpc and nfs daemons are working fine -nfs can be accessed from another solaris machine on same side (inside) of firewall.

---------


PIX:-

Cisco PIX Firewall Version 6.3(3)

access-list outside_access_in permit tcp 192.168.100.0 255.255.255.0 any eq sqlnet

access-list outside_access_in permit tcp host 192.168.100.55 any eq telnet

access-list outside_access_in permit tcp host 192.168.100.55 any eq ftp

access-list outside_access_in permit tcp host 192.168.100.71 any eq ftp

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 192.168.100.101 255.255.255.0

ip address inside 192.168.64.3 255.255.255.224

arp timeout 14400

static (inside,outside) tcp 192.168.100.106 sqlnet 192.168.32.29 sqlnet netmask

255.255.255.255 0 0

static (inside,outside) tcp 192.168.100.107 sqlnet 192.168.32.30 sqlnet netmask

255.255.255.255 0 0

static (inside,outside) tcp 192.168.100.106 telnet 192.168.32.29 telnet netmask

255.255.255.255 0 0

static (inside,outside) tcp 192.168.100.106 ftp 192.168.32.29 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) tcp 192.168.100.107 ftp 192.168.32.30 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) 192.168.100.106 192.168.32.29 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

conduit permit udp host 192.168.100.106 eq sunrpc host 192.168.100.71

conduit permit udp host 192.168.100.106 eq 2049 host 192.168.100.71

conduit permit icmp any any

conduit permit tcp host 192.168.100.106 eq 135 host 192.168.100.71

established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0

route outside 0.0.0.0 0.0.0.0 192.168.100.101 1

route inside 192.168.0.0 255.255.0.0 192.168.64.3 1

---------


Tests:

From another solaris box on the inside (192.168.32.30), I run showmount -e 192.168.32.29 with success.

From windows machine on the outside, I get RPC failure.

Has anybody ever succeeded in running NFS across the PIX -much of the documentation I've come across is against this implementation.


Thanks.

Simon.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
varakantam Wed, 01/25/2006 - 02:42
User Badges:

a) One I would check with a windows host on the inside just to ease troubleshooting


b) conduit permit udp host 192.168.100.106 eq sunrpc host 192.168.100.71

conduit permit udp host 192.168.100.106 eq 2049 host 192.168.100.71

conduit permit icmp any any

conduit permit tcp host 192.168.100.106 eq 135 host 192.168.100.71


Please stay away from using conduit and switch to accesslist for consistency and best practice.


"Sun Remote Procedure Call (RPC) is used by many services, for example, Network File System (NFS) and Network Information Service (NIS).


Sun RPC services can run on any port on the system. When a client attempts to access an RPC service on a server, it must find out which port that service is running on. It does this by querying the portmapper process on the well-known port of 111.


The client sends the RPC program number of the service, and gets back the port number. From this point on, the client program sends its RPC queries to that new port."


so you need to open a reverse port as well to enable communication. Best recommendation is use application protocol inspection for that interface connecting the server


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/fixup.htm#wp1064030


Actions

This Discussion