Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5885
Views
0
Helpful
4
Replies

ASA DCERPC inspection not working properly

branfarm1
Level 4
Level 4

‎12-02-2009 06:09 AM - edited ‎03-11-2019 09:44 AM

Hi there,

I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems.  My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.

I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.

I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1725357):

class-map dcerpc

     match port tcp eq 135

policy-map type inspect dcerpc dcerpc_map

     parameters

     endpoint-mapper lookup-operation

     timeout pinhole 0:05:00

policy-map global_policy

     class inspection_default

          inspect dcerpc dcerpc_map

It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.

Can anyone help me figure out what I'm doing wrong?   I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.

Thanks in advance,

Brandon

Labels:
0 Helpful
4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-02-2009 06:23 AM

To start with the obvious: did you apply the policy ?

i.e. do you have:

service-policy global_policy global

or something similar (e.g. you can apply it to the DMZ interface instead of using it globally)?

If yes, can you check:

show service-policy

sh asp table classify domain inspect-dcerpc

hth

Herbert

0 Helpful

branfarm1
Level 4
Level 4
In response to Herbert Baerten

‎12-02-2009 06:27 AM

Hi Herbert,

Thanks for the reply.  Yes -- I do have the policy applied.  I had the default inspection policy applied prior to configuring this and I simply wanted to add DCERPC inspection.

0 Helpful

Colin Craig
Level 1
Level 1
In response to branfarm1

‎08-10-2010 10:40 AM

Did you ever resolve this issue? I'm getting the same thing.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Colin Craig

‎08-10-2010 10:56 AM

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97787

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97762

Pls. take a look at both the defects. First one is documentation only. Second one is an enhancement defect which is not resolved yet.

What you do see in "debug dcerpc event/packet/error"

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card