Re: ASA handling of dynmic RPC ports? if yes how?

omair.siddiqui · ‎06-20-2010

One of my client has upgraded their Microsoft as well as network infrastructure. Now exchange 2010 and windows server 2008 would in DMZs. The
Microsoft consultant inform that the windows client on inside network will be going to use RPC to communicate with servers on DMZ for several
communication like when client goes to authenticate on with LDAP, they will communicate on random ports.

Now the requirement is not to use *any* clause in ACL. Is there a way that i can cater dynamic ports using ILS or something else?

Marcin Latosiewicz · ‎06-20-2010

Omair,

What port is the initial RPC exchange done on.

Truth be told if the newly allocated port is not communicated within a standard stream ASA will not inspect it and will not open a port dynamically since it does not know which ports I should open.

We have sunrpc inspection but it only inspects tcp/111 AFAIR.

We also have dcerpc inspection ... tcp/135.

Let me know how it goes...

Marcin

abu_khair · ‎06-21-2010

Hi Marcin:

I am having problem with DCERPC. We have two FWSM Firewalls. FWSM Version is 4.0(11) with active/standby failover configuration. We are using the default DCERPC inspection as the following:

class-map inspection_default

description Default Inspection

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dcerpc

!

service-policy global_policy global

TCP/135 is allowed but the inspection is not working as expected since some ports are getting blocked:

2|Jun 21 2010 13:15:00|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4780) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:01|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.15(2554) -> SRVRS/10.1.0.20(1026) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:05|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4781) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:10|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4783) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:14|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.18(1413) -> SRVRS/10.1.0.53(1073) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:15|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4784) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:20|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4785) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:23|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.15(2558) -> SRVRS/10.1.0.20(1026) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:25|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4786) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:30|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4788) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

I have tried to customized the DCERPC inspection but it did not work:

policy-map type inspect dcerpc DCEPRC

description DCERPC

parameters

endpoint-mapper lookup-operation timeout 0:15:00

timeout pinhole 0:15:00

would you please advice?

Marcin Latosiewicz · ‎06-21-2010

Abu_Khair,

If you're sure it's RPC - possibly:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx26083

Marcin