Re: ASA DCERPC issue

Ge Qu · ‎02-21-2018

Hi,

I am using Nagios to monitor our windows server using WMI. So I configure the DECRPC on our ASA 5520 firewall but i still see the deny on port > 1024.

Below is the configuration:

class-map MSRPC
match port tcp eq 135
!
policy-map type inspect dcerpc MSRPC-MAP
description dcerpc inspection for MAP and LOOKUP ops
parameters
endpoint-mapper lookup-operation
timeout pinhole 0:03:00
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect skinny
inspect icmp
inspect dcerpc
!
policy-map MSRPC
class MSRPC
inspect dcerpc MSRPC-MAP
!
service-policy global_policy global
service-policy MSRPC interface pci-management
service-policy MSRPC interface pci-external-svcs

!

ACL to allow tcp on port 135 is in place as well.

I also tried to use the policy parameter with epm only, and it doesn't work

I also tried to remove the inspection of dcerpc from global_policy and it's donig the same thing.

I also tried to only apply the policy-map on the Nagios interface, still the same thing

Can anyone help me out about this please?

BrianSekleckiGE · ‎08-24-2021

I have the same problem.

Just to confirm:

Do your ACLs explicitly authorize TCP/135? Or are you relying on default Cisco ASA behavior based on interface security levels?

I ask because: DCERPC / DCOM-RPC enabled windows applications that communicate with each-other are often uni-directional. E.g., It seems that either host can be the TCP/135 server, accepting the control-connection, and then all the resulting ephemeral TCP ports are independent are independent of the original TCP/135 connection.

I'm filing a support request with Cisco now to get an official statement on the status of the dcerpc inspection engine module.