https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079288#M395923 <P>I have a 2921 acting as the HUB of a DMVPN deployment.&nbsp; I would like to apply an inbound acl to the tunnel interface to only allow the minimum ports necessary for the remote sites to communicate back to the data center.&nbsp; This includes Active Directory traffic.&nbsp; I'm very green with security, especially on this 2921.&nbsp; I've done limited research on getting AD traffic through a firewall and my understanding of this is that the host communicates with the AD controller over a well-known port (mapper service) which then instructs the client to use a randomly generated port in a very large range for future communication with the AD controller.&nbsp; This would then mean that the 2921 would need to be able to inspect this first traffic flow and then dynamically open up just the minimum&nbsp; port(s) required to allow the host to talk to the AD controller.&nbsp; Is my 2921 with the version/feature set its running capable of doing this?&nbsp; If not, can it be made capable to do this with additional hw and/or licensing?</P><P></P><P>Thanks,</P><P>Steven&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:20:08 GMT sdavids5670 2019-03-12T00:20:08Z https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079288#M395923 <P>I have a 2921 acting as the HUB of a DMVPN deployment.&nbsp; I would like to apply an inbound acl to the tunnel interface to only allow the minimum ports necessary for the remote sites to communicate back to the data center.&nbsp; This includes Active Directory traffic.&nbsp; I'm very green with security, especially on this 2921.&nbsp; I've done limited research on getting AD traffic through a firewall and my understanding of this is that the host communicates with the AD controller over a well-known port (mapper service) which then instructs the client to use a randomly generated port in a very large range for future communication with the AD controller.&nbsp; This would then mean that the 2921 would need to be able to inspect this first traffic flow and then dynamically open up just the minimum&nbsp; port(s) required to allow the host to talk to the AD controller.&nbsp; Is my 2921 with the version/feature set its running capable of doing this?&nbsp; If not, can it be made capable to do this with additional hw and/or licensing?</P><P></P><P>Thanks,</P><P>Steven&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 00:20:08 GMT https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079288#M395923 sdavids5670 2019-03-12T00:20:08Z https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079289#M395924 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You mean to be able to inpect trafffic and open the required pinholes?</P><P>It is, you can run the ZBFW in this box with not a problem at all,</P><P></P><P>Regards</P></BODY></HTML> Wed, 07 Nov 2012 21:08:17 GMT https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079289#M395924 Julio Carvajal 2012-11-07T21:08:17Z https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079290#M395927 <HTML><HEAD></HEAD><BODY><P> I've been playing around with the "ip inspect" command and I've got things working partially.&nbsp; There's a large list of well-known protocols available with the ip inspect command.&nbsp; However, I cannot find the one for endpoint mapper (tcp/135).&nbsp; How do I define endpoint mapper in an ip inspect profile?</P></BODY></HTML> Thu, 08 Nov 2012 18:56:40 GMT https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079290#M395927 sdavids5670 2012-11-08T18:56:40Z https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079291#M395930 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>So running CBAC.</P><P></P><P>Here is how to create a port-map definition to inspect traffic:</P><P>The example will use RDP:</P><P>ip port-map user-rdp3389 port tcp 3389</P><P>Then you could match the traffic and inspected!</P><P></P><P>In your case just use tcp 135</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helpful posts</P></BODY></HTML> Thu, 08 Nov 2012 21:29:23 GMT https://community.cisco.com/t5/network-security/question-about-capability-of-2921-running-15-0-1-m5-with/m-p/2079291#M395930 Julio Carvajal 2012-11-08T21:29:23Z