Cisco ASA 5505 Configuration Manual page 893

Asa 5500 series
Hide thumbs Also See for ASA 5505:
Table of Contents

Advertisement

Chapter 39
Configuring Inspection of Database and Directory Protocols
SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be
scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in
the packet.
SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and
addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload.
When the Redirect message with data length zero passes through the adaptive security appliance, a flag
will be set in the connection data structure to expect the Data or Redirect message that follows to be
translated and ports to be dynamically opened. If one of the TNS frames in the preceding paragraph
arrive after the Redirect message, the flag will be reset.
The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust
Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old
message.
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend,
Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be
translated and port connections will be opened.
Sun RPC Inspection
This section describes Sun RPC application inspection. This section includes the following topics:
Sun RPC Inspection Overview
The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun
RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access
an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying
the port mapper process, usually rpcbind, on the well-known port of 111.
The client sends the Sun RPC program number of the service and the port mapper process responds with
the port number of the service. The client sends its Sun RPC queries to the server, specifying the port
identified by the port mapper process. When the server replies, the adaptive security appliance intercepts
this packet and opens both embryonic TCP and UDP connections on that port.
NAT or PAT of Sun RPC payload information is not supported.
Note
SUNRPC Server
The Configuration > Firewall > Advanced > SUNRPC Server pane shows which SunRPC services can
traverse the adaptive security appliance and their specific timeout, on a per server basis.
Fields
OL-20339-01
Sun RPC Inspection Overview, page 39-3
"SUNRPC Server" section on page 39-3
"Add/Edit SUNRPC Service" section on page 39-4
Interface—Displays the interface on which the SunRPC server resides.
Cisco ASA 5500 Series Configuration Guide using ASDM
Sun RPC Inspection
39-3

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Asa 5510Asa 5540Asa 5520Asa 5550Asa 5580

Table of Contents