Showing results for 
Search instead for 
Did you mean: 

ASA DCERPC inspection not working properly


Hi there,

I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems.  My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.

I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.

I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from

class-map dcerpc

     match port tcp eq 135

policy-map type inspect dcerpc dcerpc_map


     endpoint-mapper lookup-operation

     timeout pinhole 0:05:00

policy-map global_policy

     class inspection_default

          inspect dcerpc dcerpc_map

It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.

Can anyone help me figure out what I'm doing wrong?   I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.

Thanks in advance,


4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

To start with the obvious: did you apply the policy ?

i.e. do you have:

service-policy global_policy global

or something similar (e.g. you can apply it to the DMZ interface instead of using it globally)?

If yes, can you check:

show service-policy

sh asp table classify domain inspect-dcerpc



Hi Herbert,

Thanks for the reply.  Yes -- I do have the policy applied.  I had the default inspection policy applied prior to configuring this and I simply wanted to add DCERPC inspection.

Did you ever resolve this issue? I'm getting the same thing.

Pls. take a look at both the defects. First one is documentation only. Second one is an enhancement defect which is not resolved yet.

What you do see in "debug dcerpc event/packet/error"


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers