NFS across CISCO PIX515E - NFS

This is a discussion on NFS across CISCO PIX515E - NFS ; Hi- I've been trying to get my PIX handle NFS traffic btn Windows and solaris 9 machines but in vain (for 2 days now!!). Configs: Windows:- Installed Windows Unix services which has NFS utilities like mount, rpcinfo, showmount which are ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: NFS across CISCO PIX515E

  1. NFS across CISCO PIX515E

    Hi-
    I've been trying to get my PIX handle NFS traffic btn Windows and
    solaris 9 machines but in vain (for 2 days now!!).

    Configs:

    Windows:-
    Installed Windows Unix services which has NFS utilities like mount,
    rpcinfo, showmount which are all working fine. Windows machine on
    outside of firewall.
    ---------
    Solaris:-
    The rpc and nfs daemons are working fine -nfs can be accessed from
    another solaris machine on same side (inside) of firewall.
    ---------

    PIX:-
    Cisco PIX Firewall Version 6.3(3)
    access-list outside_access_in permit tcp 192.168.100.0 255.255.255.0
    any eq sqlnet
    access-list outside_access_in permit tcp host 192.168.100.55 any eq
    telnet
    access-list outside_access_in permit tcp host 192.168.100.55 any eq ftp
    access-list outside_access_in permit tcp host 192.168.100.71 any eq ftp
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.100.101 255.255.255.0
    ip address inside 192.168.64.3 255.255.255.224
    arp timeout 14400
    static (inside,outside) tcp 192.168.100.106 sqlnet 192.168.32.29 sqlnet
    netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 192.168.100.107 sqlnet 192.168.32.30 sqlnet
    netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 192.168.100.106 telnet 192.168.32.29 telnet
    netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 192.168.100.106 ftp 192.168.32.29 ftp
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) tcp 192.168.100.107 ftp 192.168.32.30 ftp
    netmask 255.25
    5.255.255 0 0
    static (inside,outside) 192.168.100.106 192.168.32.29 netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    conduit permit udp host 192.168.100.106 eq sunrpc host 192.168.100.71
    conduit permit udp host 192.168.100.106 eq 2049 host 192.168.100.71
    conduit permit icmp any any
    conduit permit tcp host 192.168.100.106 eq 135 host 192.168.100.71
    established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0
    route outside 0.0.0.0 0.0.0.0 192.168.100.101 1
    route inside 192.168.0.0 255.255.0.0 192.168.64.3 1
    ---------

    Tests:
    >From another solaris box on the inside (192.168.32.30), I run showmount

    -e 192.168.32.29 with success.
    >From windows machine on the outside, I get RPC failure.

    Has anybody ever succeeded in running NFS across the PIX -much of the
    documentation I've come across is against this implementation.

    Thanks.
    Simon.


  2. Re: NFS across CISCO PIX515E


    cswaibale@yahoo.com wrote:
    > Hi-
    > I've been trying to get my PIX handle NFS traffic btn Windows and
    > solaris 9 machines but in vain (for 2 days now!!).
    >
    > Configs:
    >
    > Windows:-
    > Installed Windows Unix services which has NFS utilities like mount,
    > rpcinfo, showmount which are all working fine. Windows machine on
    > outside of firewall.
    > ---------
    > Solaris:-
    > The rpc and nfs daemons are working fine -nfs can be accessed from
    > another solaris machine on same side (inside) of firewall.



    NFSv3 needs several ancillary protocols like the portmapper, mount,
    nlm, nsm,
    rquotad, etc.

    And in Solaris most of the ports for the ancillary protocols, except
    portmap,
    and nlm, run on unfixed ports.

    rpcinfo -p will show you which ports each service runs on. You could
    set up
    your firewall to allow those ports, but at the next reboot, the ports
    will likely change.

    What you'll have to do is find an NFS client that does NFSv4 or webnfs.

    For Windows, Hummingbird does NFSv4.

    Shameless plug for my employer:
    Or you could switch your NFS server to a NetApp filer. It has all the
    ancillary services run over fixed yet configurable ports.


+ Reply to Thread