- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Restrictions for Sun RPC ALG Support for Firewalls and NAT
- Information About Sun RPC ALG Support for Firewalls and NAT
- How to Configure Sun RPC ALG Support for Firewalls and NAT
- Example: Configuring a Layer 4 Class Map for a Firewall Policy
- Example: Configuring a Layer 7 Class Map for a Firewall Policy
- Example: Configuring a Sun RPC Firewall Policy Map
- Example: Attaching a Layer 7 Policy Map to a Layer 4 Policy Map
- Example: Creating Security Zones and Zone Pairs and Attaching a Policy Map to a Zone Pair
- Example: Configuring the Firewall for the Sun RPC ALG
Sun RPC ALG Support for Firewalls and NAT
The Sun RPC ALG Support for Firewalls and NAT feature adds support for the Sun Microsystems remote-procedure call (RPC) application-level gateway (ALG) on the firewall and Network Address Translation (NAT). Sun RPC is an application layer protocol that enables client programs to call functions in a remote server program. This module describes how to configure the Sun RPC ALG.
- Finding Feature Information
- Restrictions for Sun RPC ALG Support for Firewalls and NAT
- Information About Sun RPC ALG Support for Firewalls and NAT
- How to Configure Sun RPC ALG Support for Firewalls and NAT
- Configuration Examples for Sun RPC ALG Support for Firewall and NAT
- Additional References for Sun RPC ALG Support for Firewall and NAT
- Feature Information for Sun RPC ALG Support for Firewalls and NAT
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Sun RPC ALG Support for Firewalls and NAT
Depending on your release, the following configuration will not work on Cisco ASR 1000 Aggregation Services Routers. If you configure the inspect action for Layer 4 or Layer 7 class maps, packets that match the Port Mapper Protocol well-known port (111) pass through the firewall without the Layer 7 inspection. Without the Layer 7 inspection, firewall pinholes are not open for traffic flow, and the Sun remote-procedure call (RPC) is blocked by the firewall. As a workaround, configure the match program-number command for Sun RPC program numbers.
Only Port Mapper Protocol Version 2 is supported; none of the other versions are supported.
Only RPC Version 2 is supported.
Information About Sun RPC ALG Support for Firewalls and NAT
Application-Level Gateways
-
Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
-
Recognize application-specific commands and offer granular security control over them.
-
Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
-
Translate the network-layer address information that is available in the application payload.
The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.
Sun RPC
The Sun remote-procedure call (RPC) application-level gateway (ALG) performs a deep packet inspection of the Sun RPC protocol. The Sun RPC ALG works with a provisioning system that allows network administrators to configure match filters. Each match filter define a match criterion that is searched in a Sun RPC packet, thereby permitting only packets that match the criterion.
In an RPC, a client program calls procedures in a server program. The RPC library packages the procedure arguments into a network message and sends the message to the server. The server, in turn, uses the RPC library and takes the procedure arguments from the network message and calls the specified server procedure. When the server procedure returns to the RPC, return values are packaged into a network message and sent back to the client.
For a detailed description of the Sun RPC protocol, see RFC 1057, RPC: Remote Procedure Call Protocol Specification Version 2.
Sun RPC ALG Support for Firewalls
You can configure the Sun RPC ALG by using the zone-based firewall that is created by using policies and class maps. A Layer 7 class map allows network administrators to configure match filters. The filters specify the program numbers to be searched for in Sun RPC packets. The Sun RPC Layer 7 policy map is configured as a child policy of the Layer 4 policy map with the service-policy command.
When you configure a Sun RPC Layer 4 class map without configuring a Layer 7 firewall policy, the traffic returned by the Sun RPC passes through the firewall, but sessions are not inspected at Layer 7. Because sessions are not inspected, the subsequent RPC call is blocked by the firewall. Configuring a Sun RPC Layer 4 class map and a Layer 7 policy allows Layer 7 inspection. You can configure an empty Layer 7 firewall policy, that is, a policy without any match filters.
Sun RPC ALG Support for NAT
By default, the Sun RPC ALG is automatically enabled when Network Address Translation (NAT) is enabled. You can use the no ip nat service alg command to disable the Sun RPC ALG on NAT.
How to Configure Sun RPC ALG Support for Firewalls and NAT
For Sun RPC to work when the firewall and NAT are enabled, the ALG must inspect Sun RPC packets. The ALG also handles Sun RPC-specific issues such as establishing dynamic firewall sessions and fixing the packet content after NAT translation.
Configuring the Firewall for the Sun RPC ALG
You must configure a Layer 7 Sun remote-procedure call (RPC) policy map if you have configured the inspect action for the Sun RPC protocol (that is, if you have specified the match protocol sunrpc command in a Layer 4 class map).
We recommend that you do not configure both security zones and inspect rules on the same interface because this configuration may not work.
Perform the following tasks to configure a firewall for the Sun RPC ALG:
- Configuring a Layer 4 Class Map for a Firewall Policy
- Configuring a Layer 7 Class Map for a Firewall Policy
- Configuring a Sun RPC Firewall Policy Map
- Attaching a Layer 7 Policy Map to a Layer 4 Policy Map
- Creating Security Zones and Zone Pairs and Attaching a Policy Map to a Zone Pair
Configuring a Layer 4 Class Map for a Firewall Policy
Perform this task to configure a Layer 4 class map for classifying network traffic. When you specify the match-all keyword with the class-map type inspect command, the Sun RPC traffic matches all Sun remote-procedure call (RPC) Layer 7 filters (specified as program numbers) in the class map. When you specify the match-any keyword with the class-map type inspect , the Sun RPC traffic must match at least one of the Sun RPC Layer 7 filters (specified as program numbers) in the class map.
To configure a Layer 4 class map, use the class-map type inspect {match-any | match-all} classm-map-name command.
1.
enable
2.
configure
terminal
3.
class-map
type
inspect
{match-any |
match-all}
class-map-name
4.
match
protocol
protocol-name
5.
end
DETAILED STEPS
Configuring a Layer 7 Class Map for a Firewall Policy
Perform this task to configure a Layer 7 class map for classifying network traffic. This configuration enables programs such as mount (100005) and Network File System (NFS) (100003) that use Sun RPC. 100005 and 100003 are Sun RPC program numbers. By default, the Sun RPC ALG blocks all programs.
For more information about Sun RPC programs and program numbers, see RFC 1057, RPC: Remote Procedure Call Protocol Specification Version 2.
Use the class-map type inspect protocol-name command to configure a Layer 7 class map.
1.
enable
2.
configure
terminal
3.
class-map
type
inspect
protocol-name
{match-any |
match-all}
class-map-name
4.
match
program-number
program-number
5.
end
DETAILED STEPS
Configuring a Sun RPC Firewall Policy Map
Perform this task to configure a Sun remote-procedure call (RPC) firewall policy map. Use a policy map to allow packet transfer for each Sun RPC Layer 7 class that is defined in a class map for a Layer 7 firewall policy.
1.
enable
2.
configure
terminal
3.
policy-map
type
inspect
protocol-name
policy-map-name
4.
class
type
inspect
protocol-name
class-map-name
5.
allow
6.
end
DETAILED STEPS
Attaching a Layer 7 Policy Map to a Layer 4 Policy Map
1.
enable
2.
configure
terminal
3.
policy-map
type
inspect
policy-map-name
4.
class
{class-map-name |
class-default}
5.
inspect
[parameter-map-name]
6.
service-policy
protocol-name
policy-map-name
7.
exit
8.
class
class-default
9.
drop
10.
end
DETAILED STEPS
Creating Security Zones and Zone Pairs and Attaching a Policy Map to a Zone Pair
You need two security zones to create a zone pair. However, you can create only one security zone and the second one can be the system-defined security zone. To create the system-defined security zone or self zone, configure the zone-pair security command with the self keyword.
 Note | If you select a self zone, you cannot configure the inspect action. |
In this task, you will do the following:
1.
enable
2.
configure
terminal
3.
zone
security
{zone-name |
default}
4.
exit
5.
zone
security
{zone-name |
default}
6.
exit
7.
zone-pair
security
zone-pair-name
source
source-zone-name
destination
destination-zone-name
8.
service-policy
type
inspect
policy-map-name
9.
exit
10.
interface
type
number
11.
ip
address
ip-address
mask
[secondary [vrf
vrf-name]]
12.
zone-member
security
zone-name
13.
exit
14.
interface
type
number
15.
ip
address
ip-address
mask
[secondary [vrf
vrf-name]]
16.
zone-member
security
zone-name
17.
end
DETAILED STEPS
Configuration Examples for Sun RPC ALG Support for Firewall and NAT
- Example: Configuring a Layer 4 Class Map for a Firewall Policy
- Example: Configuring a Layer 7 Class Map for a Firewall Policy
- Example: Configuring a Sun RPC Firewall Policy Map
- Example: Attaching a Layer 7 Policy Map to a Layer 4 Policy Map
- Example: Creating Security Zones and Zone Pairs and Attaching a Policy Map to a Zone Pair
- Example: Configuring the Firewall for the Sun RPC ALG
Example: Configuring a Layer 4 Class Map for a Firewall Policy
Device# configure terminal
Device(config)# class-map type inspect match-any sunrpc-l4-cmap
Device(config-cmap)# match protocol sunrpc
Device(config-cmap)# end
Example: Configuring a Layer 7 Class Map for a Firewall Policy
Device# configure terminal Device(config)# class-map type inspect sunrpc match-any sunrpc-l7-cmap Device(config-cmap)# match program-number 100005 Device(config-cmap)# end
Example: Configuring a Sun RPC Firewall Policy Map
Device# configure terminal Device(config)# policy-map type inspect sunrpc sunrpc-l7-pmap Device(config-pmap)# class type inspect sunrpc sunrpc-l7-cmap Device(config-pmap-c)# allow Device(config-pmap-c)# end
Example: Attaching a Layer 7 Policy Map to a Layer 4 Policy Map
Device# configure terminal Device(config)# policy-map type inspect sunrpcl4-pmap Device(config-pmap)# class sunrpcl4-cmap Device(config-pmap-c)# inspect Device(config-pmap-c)# service-policy sunrpc sunrpc-l7-pmap Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap-c)# drop Device(config-pmap-c)# end
Example: Creating Security Zones and Zone Pairs and Attaching a Policy Map to a Zone Pair
Device# configure terminal Device(config)# zone security z-client Device(config-sec-zone)# exit Device(config)# zone security z-server Device(config-sec-zone)# exit Device(config)# zone-pair security clt2srv source z-client destination z-server Device(config-sec-zone-pair)# service-policy type inspect sunrpc-l4-pmap Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 2/0/0 Device(config-if)# ip address 192.168.6.5 255.255.255.0 Device(config-if)# zone-member security z-client Device(config-if)# exit Device(config)# interface gigabitethernet 2/1/1 Device(config-if)# ip address 192.168.6.1 255.255.255.0 Device(config-if)# zone-member security z-server Device(config-if)# end
Example: Configuring the Firewall for the Sun RPC ALG
The following is a sample firewall configuration for the Sun remote-procedure call (RPC) application-level gateway (ALG) support:
class-map type inspect sunrpc match-any sunrpc-l7-cmap match program-number 100005 ! class-map type inspect match-any sunrpc-l4-cmap match protocol sunrpc ! ! policy-map type inspect sunrpc sunrpc-l7-pmap class type inspect sunrpc sunrpc-l7-cmap allow ! ! policy-map type inspect sunrpc-l4-pmap class type inspect sunrpc-l4-cmap inspect service-policy sunrpc sunrpc-l7-pmap ! class class-default drop ! ! zone security z-client ! zone security z-server ! zone-pair security clt2srv source z-client destination z-server service-policy type inspect sunrpc-l4-pmap ! interface GigabitEthernet 2/0/0 ip address 192.168.10.1 255.255.255.0 zone-member security z-client ! interface GigabitEthernet 2/1/1 ip address 192.168.23.1 255.255.255.0 zone-member security z-server !
Additional References for Sun RPC ALG Support for Firewall and NAT
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
IP Addressing commands |
|
|
Security commands |
|
Standards and RFCs
|
Standard/RFC |
Title |
|---|---|
|
RFC 1057 |
RPC: Remote Procedure Call Protocol Specification Version 2 |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Sun RPC ALG Support for Firewalls and NAT
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Sun RPC ALG Support for Firewalls and NAT |
Cisco IOS XE Release 3.2S |
The Sun RPC ALG Support for Firewalls and NAT feature adds support for the Sun RPC ALG on the firewall and NAT. The following command was introduced or modified: match protocol. |
Feedback