https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3687743#M14542 What you are doing is correct. You can't assign L7 policy map directly on<BR />interface. You need to call them in L4 policy maps as you do.<BR /><BR />In this case you aren't changing the default settings for inspecting dcerpc<BR />therefore, I don't see why you are creating L7 policy. You can apply<BR />inspect directly without L7 policy.<BR /> Tue, 14 Aug 2018 07:39:19 GMT Mohammed al Baqari 2018-08-14T07:39:19Z https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3687631#M14538 <P>Hello,</P> <P>I currently have the following configuration set on my ASA and would like to know if this is set up properly.&nbsp; I understand you can specify policy-map types and class map types but don't see/know how to apply these to an interface.&nbsp; Can I get a little guidance on this?&nbsp; I don't want to open up the dynamic range of ports and would like to inspect RPC.</P> <P>&nbsp;</P> <P>Current Config:</P> <P>policy-map type inspect dcerpc RPC-PM<BR />exit<BR />class-map RPC-CM<BR /> match port tcp eq 135<BR />exit<BR />policy-map INSPECT-RPC<BR /> class RPC-CM<BR /> inspect dcerpc RPC-PM<BR />exit<BR />exit<BR />service-policy INSPECT-RPC interface inside<BR />service-policy INSPECT-RPC interface pmont</P> <P>&nbsp;</P> <P>Service-Policy Output:</P> <P>&nbsp;</P> <P>Interface inside:<BR /> Service-policy: INSPECT-RPC<BR /> Class-map: RPC-CM<BR /> Inspect: dcerpc RPC-PM, packet 103369, lock fail 0, drop 2, reset-drop 0, 5-min-pkt-rate 7 pkts/sec, v6-fail-close 0 sctp-drop-override 0<BR /> tcp-proxy: bytes in buffer 0, bytes dropped 0</P> <P>Interface pmont:<BR /> Service-policy: INSPECT-RPC<BR /> Class-map: RPC-CM<BR /> Inspect: dcerpc RPC-PM, packet 10270, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0<BR /> tcp-proxy: bytes in buffer 0, bytes dropped 0</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 21 Feb 2020 16:06:04 GMT https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3687631#M14538 Terence Lockette 2020-02-21T16:06:04Z https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3687743#M14542 What you are doing is correct. You can't assign L7 policy map directly on<BR />interface. You need to call them in L4 policy maps as you do.<BR /><BR />In this case you aren't changing the default settings for inspecting dcerpc<BR />therefore, I don't see why you are creating L7 policy. You can apply<BR />inspect directly without L7 policy.<BR /> Tue, 14 Aug 2018 07:39:19 GMT https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3687743#M14542 Mohammed al Baqari 2018-08-14T07:39:19Z https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3689096#M14546 <P>The policy that I created doesn't appear to be working.&nbsp; If I explicitly define the dynamic port range in my ACL then my connections work.&nbsp; However, if I disable those rules and rely on the policy map, they don't work.&nbsp; Can you provide an example as to how I can inspect RPC without having to define the dynamic port range in my ACL?</P> Wed, 15 Aug 2018 17:00:55 GMT https://community.cisco.com/t5/network-security/configuring-amp-verifying-rpc-policy-on-asa/m-p/3689096#M14546 Terence Lockette 2018-08-15T17:00:55Z