I would like to understand what configuration pieces need to be in place for SunRPC inspection to work properly. I have the following scenario: NFS server is on higher security interface, and NFS clients are on lower security interface. I have default sunrpc inspection enabled on UDP port 111. Also, I added TCP port 111 inspection because I saw from capture information that SUSE system were using TCP instead of UDP for port mapper process.
class-map SUNRPC-TCP match port tcp eq sunrpc class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect sunrpc class SUNRPC-TCP inspect sunrpc ! service-policy global_policy global
Clinets that use UDP are can mount file shares, but SUSE systems, which use TCP can not until I added the following command.
sunrpc-server High_Interface 10.1.1.1 255.255.255.255 service 100005 protocol TCP port 111 timeout 0:01:00
Inspecting global service policy counters confims that SUNRPC-TCP class-map does not register any hit counts.
Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: sunrpc, packet 208, drop 0, reset-drop 0 Class-map: SUNRPC-TCP Inspect: sunrpc, packet 0, drop 0, reset-drop 0
rpcinfo command on NFS server produces the following output (I removed irrelevant program numbers for this discussions):
Hi there, this is kind of a bump since I'm also looking at an issue with SUNRPC, which doesn't work under inspection but we have to use 1-1 NAT so suspect there's no way around this unfortunately.
Was hoping if someone who might be able to answer frame6500's questions might also be able to advise if this will ever work, and if not - why not?
I can provide specific info if required to my issue however the basic config is that two sets of servers communicate using SUNRPC and the return traffic is denied, however all we've done for configuration is to allow in the default inspection traffic SUNRPC inspection. NAT is configured also.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...