https://community.cisco.com/t5/network-security/asa-dcerpc-issue/m-p/4454214#M1083124 <P>I have the same problem.</P><P>&nbsp;</P><P>Just to confirm:</P><P>&nbsp;</P><P>&nbsp; &nbsp;Do your ACLs explicitly authorize TCP/135?&nbsp; Or are you relying on default Cisco ASA behavior based on interface security levels?</P><P>&nbsp;</P><P>I ask because: DCERPC / DCOM-RPC enabled windows applications that communicate with each-other are often uni-directional.&nbsp; E.g., It seems that either host can be the TCP/135 server, accepting the control-connection, and then all the resulting ephemeral TCP ports are independent are independent of the original TCP/135 connection.</P><P>&nbsp;</P><P>I'm filing a support request with Cisco now to get an official statement on the status of the <SPAN><STRONG>dcerpc</STRONG>&nbsp;inspection engine module.</SPAN></P> Tue, 24 Aug 2021 15:43:54 GMT BrianSekleckiGE 2021-08-24T15:43:54Z https://community.cisco.com/t5/network-security/asa-dcerpc-issue/m-p/3335236#M970000 <P>Hi,</P> <P>&nbsp;</P> <P>I am using Nagios to monitor our windows server using WMI. So I configure the DECRPC on our ASA 5520 firewall but i still see the deny on port &gt; 1024.</P> <P>&nbsp;</P> <P>Below is the configuration:</P> <P>&nbsp;</P> <P>class-map MSRPC<BR />&nbsp;match port tcp eq 135<BR />!<BR />policy-map type inspect dcerpc MSRPC-MAP<BR />&nbsp;description dcerpc inspection for MAP and LOOKUP ops<BR />&nbsp;parameters<BR />&nbsp; endpoint-mapper lookup-operation<BR />&nbsp; timeout pinhole 0:03:00<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect ip-options<BR />&nbsp; inspect netbios<BR />&nbsp; inspect rsh<BR />&nbsp; inspect rtsp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect tftp<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect skinny<BR />&nbsp; inspect icmp<BR />&nbsp; inspect dcerpc<BR />!<BR />policy-map MSRPC<BR />&nbsp;class MSRPC<BR />&nbsp; inspect dcerpc MSRPC-MAP<BR />!<BR />service-policy global_policy global<BR />service-policy MSRPC interface pci-management<BR />service-policy MSRPC interface pci-external-svcs</P> <P>!</P> <P>ACL to allow tcp on port 135 is in place as well.</P> <P>&nbsp;</P> <P>I also tried to use the policy parameter with epm only, and it doesn't work</P> <P>I also tried to remove the inspection of dcerpc from global_policy and it's donig the same thing.</P> <P>I also tried to only apply the policy-map on the Nagios interface, still the same thing</P> <P>&nbsp;</P> <P>Can anyone help&nbsp; me out about this please?</P> Fri, 21 Feb 2020 15:23:26 GMT https://community.cisco.com/t5/network-security/asa-dcerpc-issue/m-p/3335236#M970000 Ge Qu 2020-02-21T15:23:26Z https://community.cisco.com/t5/network-security/asa-dcerpc-issue/m-p/4454214#M1083124 <P>I have the same problem.</P><P>&nbsp;</P><P>Just to confirm:</P><P>&nbsp;</P><P>&nbsp; &nbsp;Do your ACLs explicitly authorize TCP/135?&nbsp; Or are you relying on default Cisco ASA behavior based on interface security levels?</P><P>&nbsp;</P><P>I ask because: DCERPC / DCOM-RPC enabled windows applications that communicate with each-other are often uni-directional.&nbsp; E.g., It seems that either host can be the TCP/135 server, accepting the control-connection, and then all the resulting ephemeral TCP ports are independent are independent of the original TCP/135 connection.</P><P>&nbsp;</P><P>I'm filing a support request with Cisco now to get an official statement on the status of the <SPAN><STRONG>dcerpc</STRONG>&nbsp;inspection engine module.</SPAN></P> Tue, 24 Aug 2021 15:43:54 GMT https://community.cisco.com/t5/network-security/asa-dcerpc-issue/m-p/4454214#M1083124 BrianSekleckiGE 2021-08-24T15:43:54Z