Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Sun RPC Inspection

13-3

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter13 Configuring Inspection of Database and Directory Protocols

Sun RPC Inspection

SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be

scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in

the packet.

SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and

addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload.

When the Redirect message with data length zero passes through the ASA, a flag will be set in the

connection data structure to expect the Data or Redirect message that follows to be translated and ports

to be dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect

message, the flag will be reset.

The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust

Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old

message.

SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,

Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be

translated and port connections will be opened.

Sun RPC Inspection

This section describes Sun RPC application inspection. This section includes the following topics:

•Sun RPC Inspection Overview, page13-3

•“SUNRPC Server” section on page13-3

•“Add/Edit SUNRPC Service” section on page13-4

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun

RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access

an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying

the port mapper process, usually rpcbind, on the well-known port of 111.

The client sends the Sun RPC program number of the service and the port mapper process responds with

the port number of the service. The client sends its Sun RPC queries to the server, specifying the port

identified by the port mapper process. When the server replies, the ASA intercepts this packet and opens

both embryonic TCP and UDP connections on that port.

The following limitations apply to Sun RPC inspection:

•NAT or PAT of Sun RPC payload information is not supported.

•Sun RPC inspection supports inbound ACLs only. Sun RPC inspection does not support outbound

ACLs because the inspection engine uses dynamic ACLs instead of secondary connections.

Dynamic ACLs are always added on the ingress direction and not on egress; therefore, this

inspection engine does not support outbound ACLs. To view the dynamic ACLs configured for the

ASA, use the show asp table classify domain permit command. For information about the show

asp table classify domain permit command, see the CLI configuration guide.

Configuration> Properties > SUNRPC Server

Cisco Systems Sun RPC Inspection