Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I get nfs to work with PIX 6.1(3) ?

I have problems to get nfs ( special mountd ) through a PIX. The nfs host is in a test segment which is separated from our intranet with a PIX. Our default policy is to disallow anything, except of some protocolls (ports) to defined hosts (this is true for any direction).

Now I got a problem with nfs setup. I know I need rules for nfs (tcp /udp 2049) and for portmapper (tcp/udp sunrpc/111) and for mountd and statd. Problem with mountd and statd is, that they do not have fixed port numbers. How can I configure this? I thought the PIX inspects the portmapper traffic and helps me to define dynamic rules for the needed ports, but this seems to be wrong.


Any idea what I can do ? I hate the idea to open the firewall for large port ranges.

Regards Peter


Re: How do I get nfs to work with PIX 6.1(3) ?


I have no experience with NFS, but the pix only inspects port negatiations for the following protocols (the "fixup" command is used for this):

fixup protocol ftp [strict] [port]

fixup protocol http [port[-port]

fixup protocol h323 {h225 | ras} port [-port]

fixup protocol ils [port[-port]]

fixup protocol rsh [514]

fixup protocol rtsp [port]

fixup protocol sip [5060]

fixup protocol skinny [2000]

fixup protocol smtp [port[-port]]

fixup protocol sqlnet [port[-port]]

fixup protocol skinny port [-port]

Kind Regards,


New Member

Re: How do I get nfs to work with PIX 6.1(3) ?

Yes, I also noticed this , but I was puzzeled from following line (out of write t):

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

So there is a timeout value for rpc. If the PIX does not notice the rpc protocoll, why is there a timeout ?

Out of the command reference for timeout:

... The timeout command sets the idle time for connection, translation UDP, RPC,...

So RPC is known.

If you check out the global command:

...PAT works with DNS, FTP, ..., RPC, rshell,...

So why is RPC mentioned ? I can not believe that only a simple connection to portmapper is the meaning of RPC.

Maybe somebody from CISCO can answer this question ?

Regards Peter