I have a problem that i need to solve. We have a 525 running version 6.11. We are trying to configure a very tight set of outgoing rules (incoming are tighter :)). Basically we have a NFS client on the inside interface and a NFS server on another interface (intf2). What we want todo is mount the NFS server from the client, now because we have denied everything entering the inside interface except for a few things + sunrpc it doesn't work.
I read in the 4.X doc that the PIX handles RPC transparently, but it doesn't seem to be working as well as i had hoped. Basically what i want to happen is the PIX to see the RPC query for NFS services (mountd/nfsd) and open up ports through the PIX. Now we could just manually do it, but mountd doesn't ever bind to the same port (hence RPC/portmapper).
Can anyone give me some pointers or is there a hidden fixup protocol that ive missed?
For SunRPC, PIX Firewall now dynamically listens to the incoming and outgoing portmapper or rpcbind RPC port and creates an incoming UDP or TCP connection to a specific internal host and port for the desired service. [CSCdk29475 and CSCdk25383]
To configure NFS for inbound use:
(a) Create a static to let the outside hosts access the inside server.
(b) Create a UDP conduit for the portmapper port, UDP port 111.
(c) Create a UDP conduit for the NFS port, UDP 2049.
PIX Firewall then manages the connection dynamically. Examples of the conduit statements are:
conduit permit udp host 184.108.40.206 eq 111 any
conduit permit udp host 220.127.116.11 eq 2049 any
A conduit for portmapper is necessary for the initial port discovery message to come to the internal network.
A conduit for NFS 2049 port is necessary because NFS over UDP does not generate a "keep alive" message to keep the PIX Firewall from cleaning idle UDP connection.
All dynamically negotiated ports will allow the specific outside host to connect back to only the specific port allowed by the internal portmapper.
Microsoft's MSRPC uses TCP port 135 and requires high ports 1024-65535 to be open. Examples of the conduit statements are:
conduit permit tcp host 18.104.22.168 eq 135 any
conduit permit tcp host 22.214.171.124 range 1024 65535 any
On SunRPC, you can test for RPC traffic with the UNIX rpcinfo -u command.
While there is not a fixup command for SunRPC, PIX Firewall handles it transparently.
But it doesn't work, and im using access-lists ???
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :