cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5643
Views
0
Helpful
4
Replies

ASA DCERPC inspection not working properly

branfarm1
Level 4
Level 4

Hi there,

I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems.  My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.

I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.

I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1725357):

class-map dcerpc

     match port tcp eq 135

policy-map type inspect dcerpc dcerpc_map

     parameters

     endpoint-mapper lookup-operation

     timeout pinhole 0:05:00

policy-map global_policy

     class inspection_default

          inspect dcerpc dcerpc_map

It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.

Can anyone help me figure out what I'm doing wrong?   I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.

Thanks in advance,

Brandon

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

To start with the obvious: did you apply the policy ?

i.e. do you have:

service-policy global_policy global

or something similar (e.g. you can apply it to the DMZ interface instead of using it globally)?

If yes, can you check:

show service-policy

sh asp table classify domain inspect-dcerpc

hth

Herbert

Hi Herbert,

Thanks for the reply.  Yes -- I do have the policy applied.  I had the default inspection policy applied prior to configuring this and I simply wanted to add DCERPC inspection.

Did you ever resolve this issue? I'm getting the same thing.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97787

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97762

Pls. take a look at both the defects. First one is documentation only. Second one is an enhancement defect which is not resolved yet.

What you do see in "debug dcerpc event/packet/error"

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: