Solved: ASA MS-RPC non epm on interim version 8.3.2(4)

m.kafka · ‎01-27-2011

Hi everybody

I have a rather tricky challenge:

(problem identified but not solved yet)

We have a MS-OWA frontend (yes, not the new ISA) on the DMZ communicating with the Exchange backend and a DC cluster (3 DCs altogether with different functions scattered among them like global catalog etc...) on the inside. At the moment I need to permit quite generously traffic from OWA frontend to Exchange backend and DCs. That's because some rpc connections don't use the epm, it shows clearly on the debug rpc and the behaviour matches pretty closely the "caveats" of rpc inspection.

ASA 8.3 main line does not support dce-rpc without end point mapper. I heard about an interim release 8.3.2(4) which should fix it.

Has anyone experinece with that version in the field? Is it worth the upgrade? (we have a smartnet contract for the ASA)

Input and thoughts are highly appreciated.

Rgds,

MiKa

PS I've read the release notes on http://www.cisco.com/web/software/280775065/38969/ASA-832-Interim-Release-Notes.html

Kureli Sankar · ‎01-29-2011

Are you talkinga bout this ENH caveat?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97762

Symptom:

This is an enhancement request to allow DCERPC inspection to open pinholes for non-epm exchanges.


Further Problem Description:
RemoteCreateInstance requests and response initiate new connections in the RPC protocol. Currently the ASA only identifes and inspect EPM exchanges with the DCERPC protocol.

This has been resolved in the codes:8.3.2(1)  

If you are running 8.3.2(4) it should have the fix.

-KS

View solution in original post

lginod · ‎01-30-2011

Hello Mika, it is tested in Cisco labs and hence documented. So I suggest moving to that version for the fix.

Sent from Cisco Technical Support iPhone App

-- Please rate the solutions

View solution in original post

lginod · ‎01-27-2011

Hello Mika,

From the internal documentation on the bug and the attached cases I don't see anyone specifically having tried this version. But I could see that they used workarounds such as opening ports > 1024 for specific hosts in concern. But according to the release notes this should be fixed. So I would suggest giving it a try.

Sent from Cisco Technical Support iPhone App

m.kafka · ‎01-28-2011

Thx Lourdes,

that's what i'm doing now opening tcp >1024 which is not really a good solution.

Would you recommend to try the interim? Was it tried out in the Cisco Labs?

Rgds,

MiKa

Kureli Sankar · ‎01-29-2011

Are you talkinga bout this ENH caveat?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97762

Symptom:

This is an enhancement request to allow DCERPC inspection to open pinholes for non-epm exchanges.


Further Problem Description:
RemoteCreateInstance requests and response initiate new connections in the RPC protocol. Currently the ASA only identifes and inspect EPM exchanges with the DCERPC protocol.

This has been resolved in the codes:8.3.2(1)  

If you are running 8.3.2(4) it should have the fix.

-KS

lginod · ‎01-30-2011

Hello Mika, it is tested in Cisco labs and hence documented. So I suggest moving to that version for the fix.

Sent from Cisco Technical Support iPhone App

-- Please rate the solutions

m.kafka · ‎01-31-2011

Dear Poonguzhali Sankar, dear Lourdes Gino D,

Thanks for your help - I will upgrade to the interim on the next possible service window...

best regards,

MiKa