Managing sun rpc services, Verifying and monitoring sun rpc inspection – Cisco ASA 5505 User Manual

45-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 45 Configuring Inspection of Database and Directory Protocols

Sun RPC Inspection

Managing Sun RPC Services

Use the Sun RPC services table to control Sun RPC traffic through the ASA based on established Sun
RPC sessions. To create entries in the Sun RPC services table, use the sunrpc-server command in global
configuration mode:

hostname(config)# sunrpc-server interface_name ip_address mask service service_type

protocol

{tcp | udp} port[-port] timeout hh:mm:ss

You can use this command to specify the timeout after which the pinhole that was opened by Sun RPC
application inspection will be closed. For example, to create a timeout of 30 minutes to the Sun RPC
server with the IP address 192.168.100.2, enter the following command:

hostname(config)# sunrpc-server inside 192.168.100.2 255.255.255.255 service 100003

protocol tcp 111 timeout 00:30:00

This command specifies that the pinhole that was opened by Sun RPC application inspection will be
closed after 30 minutes. In this example, the Sun RPC server is on the inside interface using TCP port
111. You can also specify UDP, a different port number, or a range of ports. To specify a range of ports,
separate the starting and ending port numbers in the range with a hyphen (for example, 111-113).

The service type identifies the mapping between a specific service type and the port number used for the
service. To determine the service type, which in this example is 100003, use the sunrpcinfo command
at the UNIX or Linux command line on the Sun RPC server machine.

To clear the Sun RPC configuration, enter the following command.

hostname(config)# clear configure sunrpc-server

This removes the configuration performed using the sunrpc-server command. The sunrpc-server
command allows pinholes to be created with a specified timeout.

To clear the active Sun RPC services, enter the following command:

hostname(config)# clear sunrpc-server active

This clears the pinholes that are opened by Sun RPC application inspection for specific services, such
as NFS or NIS.

Verifying and Monitoring Sun RPC Inspection

The sample output in this section is for a Sun RPC server with an IP address of 192.168.100.2 on the
inside interface and a Sun RPC client with an IP address of 209.168.200.5 on the outside interface.

To view information about the current Sun RPC connections, enter the show conn command. The
following is sample output from the show conn command:

hostname# show conn

15 in use, 21 most used

UDP out 209.165.200.5:800 in 192.168.100.2:2049 idle 0:00:04 flags -

UDP out 209.165.200.5:714 in 192.168.100.2:111 idle 0:00:04 flags -

UDP out 209.165.200.5:712 in 192.168.100.2:647 idle 0:00:05 flags -

UDP out 192.168.100.2:0 in 209.165.200.5:714 idle 0:00:05 flags i

hostname(config)#

To display the information about the Sun RPC service table configuration, enter the show
running-config sunrpc-server command. The following is sample output from the show
running-config sunrpc-server command:

hostname(config)# show running-config sunrpc-server