Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

RPC Connection tracking on PIX 6.1x

Hi Everyone,

I have a problem that i need to solve. We have a 525 running version 6.11. We are trying to configure a very tight set of outgoing rules (incoming are tighter :)). Basically we have a NFS client on the inside interface and a NFS server on another interface (intf2). What we want todo is mount the NFS server from the client, now because we have denied everything entering the inside interface except for a few things + sunrpc it doesn't work.

I read in the 4.X doc that the PIX handles RPC transparently, but it doesn't seem to be working as well as i had hoped. Basically what i want to happen is the PIX to see the RPC query for NFS services (mountd/nfsd) and open up ports through the PIX. Now we could just manually do it, but mountd doesn't ever bind to the same port (hence RPC/portmapper).

Can anyone give me some pointers or is there a hidden fixup protocol that ive missed?

Cheers

Dave

4 REPLIES
New Member

Re: RPC Connection tracking on PIX 6.1x

Are you permitting inbound rpc to the server IP?

New Member

Re: RPC Connection tracking on PIX 6.1x

Yes.

When I look at the firewall logs i can see the NFS client trying to connect to

the NFS server on the dynamic port, however i would have thought that the PIX would have "remembered" this RPC query and allowed the traffic through.

New Member

Re: RPC Connection tracking on PIX 6.1x

Here is some more information fresh from Cisco's website:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pixrn420.htm

--snip--

RPC Use

For SunRPC, PIX Firewall now dynamically listens to the incoming and outgoing portmapper or rpcbind RPC port and creates an incoming UDP or TCP connection to a specific internal host and port for the desired service. [CSCdk29475 and CSCdk25383]

To configure NFS for inbound use:

(a) Create a static to let the outside hosts access the inside server.

(b) Create a UDP conduit for the portmapper port, UDP port 111.

(c) Create a UDP conduit for the NFS port, UDP 2049.

PIX Firewall then manages the connection dynamically. Examples of the conduit statements are:

conduit permit udp host 204.31.17.1 eq 111 any

conduit permit udp host 204.31.17.1 eq 2049 any

Notes:

A conduit for portmapper is necessary for the initial port discovery message to come to the internal network.

A conduit for NFS 2049 port is necessary because NFS over UDP does not generate a "keep alive" message to keep the PIX Firewall from cleaning idle UDP connection.

All dynamically negotiated ports will allow the specific outside host to connect back to only the specific port allowed by the internal portmapper.

Microsoft's MSRPC uses TCP port 135 and requires high ports 1024-65535 to be open. Examples of the conduit statements are:

conduit permit tcp host 204.31.17.1 eq 135 any

conduit permit tcp host 204.31.17.1 range 1024 65535 any

On SunRPC, you can test for RPC traffic with the UNIX rpcinfo -u command.

While there is not a fixup command for SunRPC, PIX Firewall handles it transparently.

But it doesn't work, and im using access-lists ???

Dave

New Member

Re: RPC Connection tracking on PIX 6.1x

Do any of the Cisco bods know?

322
Views
0
Helpful
4
Replies
CreatePlease to create content