I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems. My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.
I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.
I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1725357):
match port tcp eq 135
policy-map type inspect dcerpc dcerpc_map
timeout pinhole 0:05:00
inspect dcerpc dcerpc_map
It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.
Can anyone help me figure out what I'm doing wrong? I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.
Thanks in advance,
To start with the obvious: did you apply the policy ?
i.e. do you have:
service-policy global_policy global
or something similar (e.g. you can apply it to the DMZ interface instead of using it globally)?
If yes, can you check:
sh asp table classify domain inspect-dcerpc
Thanks for the reply. Yes -- I do have the policy applied. I had the default inspection policy applied prior to configuring this and I simply wanted to add DCERPC inspection.
Did you ever resolve this issue? I'm getting the same thing.
Pls. take a look at both the defects. First one is documentation only. Second one is an enhancement defect which is not resolved yet.
What you do see in "debug dcerpc event/packet/error"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: