45-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter45 Configuring Inspection of Database and Directory Protocols
Sun RPC Inspection
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be
scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in
the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and
addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload.
When the Redirect message with data length zero passes through the ASA, a flag will be set in the
connection data structure to expect the Data or Redirect message that follows to be translated and ports
to be dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect
message, the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old
message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be
translated and port connections will be opened.
Sun RPC Inspection
This section describes Sun RPC application inspection. This section includes the following topics:
Sun RPC Inspection Overview, page45-3
Managing Sun RPC Services, page 45-4
Verifying and Monitoring Sun RPC Inspection, page45-4

Sun RPC Inspection Overview

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun
RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access
an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying
the port mapper process, usually rpcbind, on the well-known port of 111.
The client sends the Sun RPC program number of the service and the port mapper process responds with
the port number of the service. The client sends its Sun RPC queries to the server, specifying the port
identified by the port mapper process. When the server replies, the ASA intercepts this packet and opens
both embryonic TCP and UDP connections on that port.
When you configure dynamic access lists on the ASA, they are supported on the ingress direction only
and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements
a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to
support outbound dynamic access lists.
To view the dynamic access lists configured for the ASA, use the show asp table classify domain
permit command. For information about the show asp table classify domain permit command, see the
CLI configuration guide.
Note Sun RPC inspection has the limitation that NAT or PAT of Sun RPC payload information is not
supported.