Sun RPC Inspection
•
Sun RPC Inspection Overview
To enable Sun RPC application inspection or to change the ports to which the FWSM listens, use the
inspect sunrpc command in policy map class configuration mode, which is accessible by using the class
command within policy map configuration mode. To remove the configuration, use the no form of this
command.
The inspect sunrpc command enables or disables application inspection for the Sun RPC protocol. Sun
RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access
an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying
the port mapper process, usually rpcbind, on the well-known port of 111.
The client sends the Sun RPC program number of the service and the port mapper process responds with
the port number of the service. The client sends its Sun RPC queries to the server, specifying the port
identified by the port mapper process. When the server replies, the FWSM intercepts this packet and
opens both embryonic TCP and UDP connections on that port.
NAT or PAT of Sun RPC payload information is not supported.
Note
Enabling and Configuring Sun RPC Inspection
Sun RPC inspection is enabled by default.
To enable or configure Sun RPC inspection over UDP, you do not have to define a separate traffic class
Note
or a new policy map. You simply add the inspect sunrpc command into a policy map whose traffic class
is defined by the default traffic class. An example of this configuration is shown in
page
To enable Sun RPC inspection or change the default port used for receiving Sun RPC traffic using TCP,
perform the following steps:
Determine the port or ports that the port mapper process listens to. While this is most often port 111, it
Step 1
can differ between operating systems and implementations.
Create a class map or modify an existing class map to identify Sun RPC traffic. Use the class-map
Step 2
command to do so, as follows:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the
CLI enters class map configuration mode.
Use a match command to identify traffic sent to the port or ports that you determined in
Step 3
If the port mapper process listens to a single port, you can use the match port command to identify
traffic sent to that port, as follows:
hostname(config-cmap)# match port tcp eq port_number
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-100
Verifying and Monitoring Sun RPC Inspection, page 22-102
22-102.
Chapter 22
Applying Application Layer Protocol Inspection
Example 22-16 on
Step
1.
OL-20748-01