Re: Configuring

Terence Lockette · ‎08-13-2018

Hello,

I currently have the following configuration set on my ASA and would like to know if this is set up properly. I understand you can specify policy-map types and class map types but don't see/know how to apply these to an interface. Can I get a little guidance on this? I don't want to open up the dynamic range of ports and would like to inspect RPC.

Current Config:

policy-map type inspect dcerpc RPC-PM
exit
class-map RPC-CM
match port tcp eq 135
exit
policy-map INSPECT-RPC
class RPC-CM
inspect dcerpc RPC-PM
exit
exit
service-policy INSPECT-RPC interface inside
service-policy INSPECT-RPC interface pmont

Service-Policy Output:

Interface inside:
Service-policy: INSPECT-RPC
Class-map: RPC-CM
Inspect: dcerpc RPC-PM, packet 103369, lock fail 0, drop 2, reset-drop 0, 5-min-pkt-rate 7 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0

Interface pmont:
Service-policy: INSPECT-RPC
Class-map: RPC-CM
Inspect: dcerpc RPC-PM, packet 10270, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 1 pkts/sec, v6-fail-close 0 sctp-drop-override 0
tcp-proxy: bytes in buffer 0, bytes dropped 0

Thanks!

Mohammed al Baqari · ‎08-14-2018

What you are doing is correct. You can't assign L7 policy map directly on
interface. You need to call them in L4 policy maps as you do.

In this case you aren't changing the default settings for inspecting dcerpc
therefore, I don't see why you are creating L7 policy. You can apply
inspect directly without L7 policy.

Terence Lockette · ‎08-15-2018

The policy that I created doesn't appear to be working. If I explicitly define the dynamic port range in my ACL then my connections work. However, if I disable those rules and rely on the policy map, they don't work. Can you provide an example as to how I can inspect RPC without having to define the dynamic port range in my ACL?

Configuring & Verifying RPC Policy on ASA