9-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Inspection of Database and Directory Protocols
Sun RPC Inspection
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and
addresses to NAT, if preceded by a REDIRECT TNSFrame type with a
zero data length for the payload.
When the Redirect message with data length
zero passes through the ASA, a flag will be set in the
connection data structure to expect the Data or Redirect message that follows to be translated and ports
to be dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect
message, the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old
message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets
will be scanned for ports and addresses. Addresses will be
translated and port connections will be opened.
For information on enabling SQL*Net inspection, see
Configure Application Layer Protocol Inspection,
.
Sun RPC Inspection
This section describes Sun RPC application inspection.
•
Sun RPC Inspection Overview, page 9-3
•
Managing Sun RPC Services, page 9-4
•
Verifying and Monitoring Sun RPC Inspection, page 9-4
Sun RPC Inspection Overview
The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun
RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access
a Sun RPC service on a server, it must learn the port that service is running on. It does this by querying
the port mapper process, usually rpcbind, on the well-known port of 111.
The client sends the Sun RPC program number of the service and the port mapper process responds with
the port number of the service. The client sends its Sun RPC queries to the server, specifying the port
identified by the port mapper process. When the server replies, the ASA intercepts this packet and opens
both embryonic TCP and UDP connections on that port.
Tip
Sun RPC inspection is enabled by default. You simply need to manage the Sun RPC server table to
identify which services are allowed to traverse the firewall. For information on enabling Sun RPC
inspection, see
Configure Application Layer Protocol Inspection, page 6-9
The following limitations apply to Sun RPC inspection:
•
NAT or PAT of Sun RPC payload information is not supported.
•
Sun RPC inspection supports inbound ACLs only. Sun RPC inspection does not support outbound
ACLs because the inspection engine uses dynamic ACLs instead of secondary connections.
Dynamic ACLs are always added on the ingress direction and not on egress; therefore, this
inspection engine does not support outbound ACLs. To view the dynamic ACLs configured for the
ASA, use the
show asp table classify domain permit
command.
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......