13-21
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
Sun RPC Inspection Engine
Enabled by default for UDP port 111
Sun Remote Procedure Call (RPC) is used by many services, for example, Network File System (NFS)
and Network Information Service (NIS).
Sun RPC services can run on any port on the system. When a client attempts to access an RPC service
on a server, it must find out which port that service is running on. It does this by querying the portmapper
process on the well-known port of 111.
The client sends the RPC program number of the service, and gets back the port number. From this point
on, the client program sends its RPC queries to that new port.
When a server sends out a reply, the FWSM intercepts this packet and opens both embryonic TCP and
UDP connections on that port for a short period of time. After the client connects to the port and makes
a full connection, the embryonic connection goes away. For additional connections from the client to the
port, the client must repeat the portmapper process. Alternatively, you can configure the FWSM to keep
the embryonic connections open for a longer period of time so that clients can use cached port numbers
and do not have to repeat the portmapper process. This method is required for Sun RPC over TCP; only
the default inspection for UDP uses the above method. See the rpc-server command below.
NAT or PAT of RPC payload information is not supported. Use NAT exemption or identity NAT.
• To configure the Sun RPC inspection engine for TCP, enter the following command:
FWSM/contexta(config)# fixup protocol rpc [
port
[-
port
]]
The default port is 111 (TCP). You must also configure the rpc-server command (below). The UDP
inspection engine is on by default and is not configurable.
• To allow clients to use cached port numbers for Sun RPC services (such as NFS or NIS), enter the
following command:
FWSM/contexta(config)# rpc-server
interface_name
ip_address mask
service
service_type
protocol {tcp | udp}
port
[-
port
] timeout
hh
:
mm
:
ss
After a client initially connects to a server running a Sun RPC service, the client might cache the
Sun RPC port information supplied by the portmapper process. Additional connections from the
client might use these cached ports. This command allows clients to use cached port numbers for
the duration of the specified timeout rather than have to re-request the port numbers from the
portmapper process. This command is required for Sun RPC over TCP.
TFTP Inspection Engine
Enabled by default for UDP port 69
Not Configurable
The FWSM permits all UDP connections from a TFTP server back to a client source port if there is an
existing TFTP connection between the server and client.
To Next Page
Loading...
Need help?
General