Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4087
Views
0
Helpful
3
Replies

ASA handling of dynmic RPC ports? if yes how?

omair.siddiqui
Level 1
Level 1

‎06-20-2010 12:58 AM - edited ‎03-11-2019 11:01 AM

One of my client has upgraded their Microsoft as well as network infrastructure. Now exchange 2010 and windows server 2008 would in DMZs.  The
Microsoft consultant inform that the windows client on inside network  will be going to use RPC to communicate with servers on DMZ for several
communication like when client goes to authenticate on with LDAP, they  will communicate on random ports.

Now the requirement is not to use *any* clause in ACL. Is there a way  that i can cater dynamic ports  using ILS or something else?

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-20-2010 03:35 AM

Omair,

What port is the initial RPC exchange done on.

Truth be told if the newly allocated port is not communicated within a standard stream ASA will not inspect it and will not open a port dynamically since it does not know which ports I should open.

We have sunrpc inspection but it only inspects tcp/111 AFAIR.

We also have dcerpc inspection ... tcp/135.

Let me know how it goes...

Marcin

0 Helpful

abu_khair
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-21-2010 05:15 AM

Hi Marcin:

I am having problem with DCERPC.  We have two FWSM Firewalls. FWSM Version is 4.0(11) with active/standby failover configuration. We are using the default DCERPC inspection as the following:

class-map inspection_default

description Default Inspection

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dcerpc

!

service-policy global_policy global

TCP/135 is allowed but the inspection is not working as expected since some ports are getting blocked:

2|Jun 21 2010 13:15:00|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4780) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:01|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.15(2554) -> SRVRS/10.1.0.20(1026) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:05|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4781) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:10|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4783) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:14|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.18(1413) -> SRVRS/10.1.0.53(1073) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:15|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4784) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:20|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4785) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:23|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.15(2558) -> SRVRS/10.1.0.20(1026) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:25|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4786) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:30|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4788) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

I have tried to customized the DCERPC inspection but it did not work:

policy-map type inspect dcerpc DCEPRC

description DCERPC

parameters

  endpoint-mapper lookup-operation timeout 0:15:00

  timeout pinhole 0:15:00

would you please advice?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card