Sun rpc inspection, Sun rpc inspection overview – Cisco ASA 5505 User Manual
Page 943
 
45-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 45 Configuring Inspection of Database and Directory Protocols
Sun RPC Inspection
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be 
scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in 
the packet. 
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and 
addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload. 
When the Redirect message with data length zero passes through the ASA, a flag will be set in the 
connection data structure to expect the Data or Redirect message that follows to be translated and ports 
to be dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect 
message, the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust 
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old 
message. 
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend, 
Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be 
translated and port connections will be opened.
Sun RPC Inspection
This section describes Sun RPC application inspection. This section includes the following topics:
•
Sun RPC Inspection Overview, page 45-3
•
Managing Sun RPC Services, page 45-4
•
Verifying and Monitoring Sun RPC Inspection, page 45-4
Sun RPC Inspection Overview
The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun 
RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access 
an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying 
the port mapper process, usually rpcbind, on the well-known port of 111. 
The client sends the Sun RPC program number of the service and the port mapper process responds with 
the port number of the service. The client sends its Sun RPC queries to the server, specifying the port 
identified by the port mapper process. When the server replies, the ASA intercepts this packet and opens 
both embryonic TCP and UDP connections on that port.
When you configure dynamic access lists on the ASA, they are supported on the ingress direction only 
and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements 
a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to 
support outbound dynamic access lists.
To view the dynamic access lists configured for the ASA, use the show asp table classify domain 
permit command. For information about the show asp table classify domain permit command, see the 
CLI configuration guide.
Note
Sun RPC inspection has the limitation that NAT or PAT of Sun RPC payload information is not 
supported.