Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2378
Views
0
Helpful
2
Replies

DCERPC Inspection Does not Seem to work (OPC Communication)

lizhongqiqq
Level 1
Level 1

‎08-07-2013 10:44 PM - edited ‎03-11-2019 07:23 PM

Here is my situation: I have an OPC server (10.10.100.100/24) sitting at the secure side of the ASA Firewall 5512 (IOS: asa861-2-smp-k8.bin and ASDM Image asdm-66114.bin) and an OPC Client (192.168.100.100/24) sitting at the unsecure side (DMZ) of the firewall. The OPC client uses the MicroSoft DCOM protocol to communicate. (Note: NO OPC Server and Client Configuration issue since the communication is fine when they are in the same network). Because of that, I first allow the inbound TCP traffic (TCP Port 135) from OPC Client to OPC server to pass through the firewall using ACL "ManagementDMZ_access_in" on the DMZ interface. Then I enabled DCERPC Inspection. Based on the DCERPC Inspection result, there is 73 DCERPC packets with 0 drop. However, the ASDM Log shows the data traffic from OPC client to OPC server with dynamic TCP port was blocked by the Inbound ACL, which I think it should be allowed to pass through with DCERPC Inspection. Did I miss anything or anyone has any hit? Your help is much appreciated!

The following is the running config:

ciscoasa# show run

: Saved

:

ASA Version 8.6(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

nameif ManagementDMZ

security-level 50

ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

nameif PINNetwork

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif Int_Management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

object-group service DCOM tcp

port-object eq 135

access-list ManagementDMZ_access_in extended permit tcp host 192.168.100.100 host 10.10.100.100 object-group DCOM

pager lines 24

logging enable

logging asdm-buffer-size 512

logging asdm informational

mtu ManagementDMZ 1500

mtu PINNetwork 1500

mtu Int_Management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

access-group ManagementDMZ_access_in in interface ManagementDMZ

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.10 255.255.255.255 Int_Management

http 192.168.100.100 255.255.255.255 ManagementDMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect dcerpc

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 19

  subscribe-to-alert-group configuration periodic monthly 19

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4e4615c35b81b98269c7090fe6cd364a

: end

The following are the DCERPC Inspection result:

ciscoasa# show service-policy

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: netbios, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: icmp, packet 8, lock fail 0, drop 0, reset-drop 0

      Inspect: dcerpc, packet 73, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

The following is the ASDM Log (keep recycled):

013|16:34:52|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]

4|Aug 07 2013|16:34:46|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]

4|Aug 07 2013|16:34:43|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]

6|Aug 07 2013|16:34:42|302013|192.168.100.100|1903|10.10.100.100|135|Built inbound TCP connection 384 for ManagementDMZ:192.168.100.100/1903 (192.168.100.100/1903) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)

6|Aug 07 2013|16:34:42|302013|192.168.100.100|1902|10.10.100.100|135|Built inbound TCP connection 383 for ManagementDMZ:192.168.100.100/1902 (192.168.100.100/1902) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)


The following is the DCERPC Debug:

ciscoasa# debug dcerpc error

ciscoasa# debug dcerpc event

ciscoasa# debug dcerpc packet

ciscoasa# DCERPC-PKT: bind id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: request id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.

DCERPC-PKT: bind id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: ISystemActivator UUID found

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 1, if-uuid: 000001a0

DCERPC-PKT: bind_ack id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:1/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:1 valid:1

DCERPC-PKT: request with opnum:4 call_id:2.

DCERPC-PKT: response id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-EV: prop_len 48 limited to -4

DCERPC-PKT: updated checksum and forward packet.

DCERPC-PKT: request id:3 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:3 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.

DCERPC-PKT: alter_context id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: alter_context has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: alter_context with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: alter_context_resp id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-EV: alter_context_resp with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: request id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:1 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-PKT: bind id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.

DCERPC-PKT: bind id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.

ciscoasa# DCERPC-PKT: bind id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.

Attached is also the wireshark captured packets.

3 people had this problem
Labels:
15365475-Wireshark Packages.pcapng.zip
0 Helpful
2 Replies 2

LumensionCCO
Level 1
Level 1

‎01-17-2014 03:21 PM

Any luck with this Zhongqi Li? I'm trying to do something similar now.

0 Helpful

ketangandhi3
Level 1
Level 1
In response to LumensionCCO

‎02-21-2014 11:09 AM

m also facing same issue... have you succeed to resolved the same???

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card