Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
3
Replies

Question about capability of 2921 running 15.0(1)M5 with security and ipbase

sdavids5670
Level 2
Level 2

‎11-07-2012 12:02 PM - edited ‎03-11-2019 05:20 PM

I have a 2921 acting as the HUB of a DMVPN deployment.  I would like to apply an inbound acl to the tunnel interface to only allow the minimum ports necessary for the remote sites to communicate back to the data center.  This includes Active Directory traffic.  I'm very green with security, especially on this 2921.  I've done limited research on getting AD traffic through a firewall and my understanding of this is that the host communicates with the AD controller over a well-known port (mapper service) which then instructs the client to use a randomly generated port in a very large range for future communication with the AD controller.  This would then mean that the 2921 would need to be able to inspect this first traffic flow and then dynamically open up just the minimum  port(s) required to allow the host to talk to the AD controller.  Is my 2921 with the version/feature set its running capable of doing this?  If not, can it be made capable to do this with additional hw and/or licensing?

Thanks,

Steven                

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-07-2012 01:08 PM

Hello,

You mean to be able to inpect trafffic and open the required pinholes?

It is, you can run the ZBFW in this box with not a problem at all,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

sdavids5670
Level 2
Level 2
In response to Julio Carvajal

‎11-08-2012 10:56 AM

I've been playing around with the "ip inspect" command and I've got things working partially.  There's a large list of well-known protocols available with the ip inspect command.  However, I cannot find the one for endpoint mapper (tcp/135).  How do I define endpoint mapper in an ip inspect profile?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to sdavids5670

‎11-08-2012 01:29 PM

Hello,

So running CBAC.

Here is how to create a port-map definition to inspect traffic:

The example will use RDP:

ip port-map user-rdp3389 port tcp 3389

Then you could match the traffic and inspected!

In your case just use tcp 135

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card