08-07-2013 10:44 PM - edited 03-11-2019 07:23 PM
Here is my situation: I have an OPC server (10.10.100.100/24) sitting at the secure side of the ASA Firewall 5512 (IOS: asa861-2-smp-k8.bin and ASDM Image asdm-66114.bin) and an OPC Client (192.168.100.100/24) sitting at the unsecure side (DMZ) of the firewall. The OPC client uses the MicroSoft DCOM protocol to communicate. (Note: NO OPC Server and Client Configuration issue since the communication is fine when they are in the same network). Because of that, I first allow the inbound TCP traffic (TCP Port 135) from OPC Client to OPC server to pass through the firewall using ACL "ManagementDMZ_access_in" on the DMZ interface. Then I enabled DCERPC Inspection. Based on the DCERPC Inspection result, there is 73 DCERPC packets with 0 drop. However, the ASDM Log shows the data traffic from OPC client to OPC server with dynamic TCP port was blocked by the Inbound ACL, which I think it should be allowed to pass through with DCERPC Inspection. Did I miss anything or anyone has any hit? Your help is much appreciated!
The following is the running config:
ciscoasa# show run
: Saved
:
ASA Version 8.6(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif ManagementDMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif PINNetwork
security-level 100
ip address 10.10.100.1 255.255.255.0
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Int_Management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object-group service DCOM tcp
port-object eq 135
access-list ManagementDMZ_access_in extended permit tcp host 192.168.100.100 host 10.10.100.100 object-group DCOM
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu ManagementDMZ 1500
mtu PINNetwork 1500
mtu Int_Management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
access-group ManagementDMZ_access_in in interface ManagementDMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.10 255.255.255.255 Int_Management
http 192.168.100.100 255.255.255.255 ManagementDMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect dcerpc
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 19
subscribe-to-alert-group configuration periodic monthly 19
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e4615c35b81b98269c7090fe6cd364a
: end
The following are the DCERPC Inspection result:
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: icmp, packet 8, lock fail 0, drop 0, reset-drop 0
Inspect: dcerpc, packet 73, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
The following is the ASDM Log (keep recycled):
013|16:34:52|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]
4|Aug 07 2013|16:34:46|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]
4|Aug 07 2013|16:34:43|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]
6|Aug 07 2013|16:34:42|302013|192.168.100.100|1903|10.10.100.100|135|Built inbound TCP connection 384 for ManagementDMZ:192.168.100.100/1903 (192.168.100.100/1903) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)
6|Aug 07 2013|16:34:42|302013|192.168.100.100|1902|10.10.100.100|135|Built inbound TCP connection 383 for ManagementDMZ:192.168.100.100/1902 (192.168.100.100/1902) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)
The following is the DCERPC Debug:
ciscoasa# debug dcerpc error
ciscoasa# debug dcerpc event
ciscoasa# debug dcerpc packet
ciscoasa# DCERPC-PKT: bind id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: request id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.
DCERPC-PKT: bind id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: ISystemActivator UUID found
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 1, if-uuid: 000001a0
DCERPC-PKT: bind_ack id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:1/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:1 valid:1
DCERPC-PKT: request with opnum:4 call_id:2.
DCERPC-PKT: response id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-EV: prop_len 48 limited to -4
DCERPC-PKT: updated checksum and forward packet.
DCERPC-PKT: request id:3 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:3 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.
DCERPC-PKT: alter_context id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: alter_context has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: alter_context with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: alter_context_resp id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-EV: alter_context_resp with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: request id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:1 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-PKT: bind id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.
DCERPC-PKT: bind id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.
ciscoasa# DCERPC-PKT: bind id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.
Attached is also the wireshark captured packets.
01-17-2014 03:21 PM
Any luck with this Zhongqi Li? I'm trying to do something similar now.
02-21-2014 11:09 AM
m also facing same issue... have you succeed to resolved the same???
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: