- Cisco Community
- Technology and Support
- Security
- Network Security
- DCERPC Inspection Does not Seem to work (OPC Communication)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DCERPC Inspection Does not Seem to work (OPC Communication)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2013 10:44 PM - edited 03-11-2019 07:23 PM
Here is my situation: I have an OPC server (10.10.100.100/24) sitting at the secure side of the ASA Firewall 5512 (IOS: asa861-2-smp-k8.bin and ASDM Image asdm-66114.bin) and an OPC Client (192.168.100.100/24) sitting at the unsecure side (DMZ) of the firewall. The OPC client uses the MicroSoft DCOM protocol to communicate. (Note: NO OPC Server and Client Configuration issue since the communication is fine when they are in the same network). Because of that, I first allow the inbound TCP traffic (TCP Port 135) from OPC Client to OPC server to pass through the firewall using ACL "ManagementDMZ_access_in" on the DMZ interface. Then I enabled DCERPC Inspection. Based on the DCERPC Inspection result, there is 73 DCERPC packets with 0 drop. However, the ASDM Log shows the data traffic from OPC client to OPC server with dynamic TCP port was blocked by the Inbound ACL, which I think it should be allowed to pass through with DCERPC Inspection. Did I miss anything or anyone has any hit? Your help is much appreciated!
The following is the running config:
ciscoasa# show run
: Saved
:
ASA Version 8.6(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif ManagementDMZ
security-level 50
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif PINNetwork
security-level 100
ip address 10.10.100.1 255.255.255.0
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Int_Management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object-group service DCOM tcp
port-object eq 135
access-list ManagementDMZ_access_in extended permit tcp host 192.168.100.100 host 10.10.100.100 object-group DCOM
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu ManagementDMZ 1500
mtu PINNetwork 1500
mtu Int_Management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
access-group ManagementDMZ_access_in in interface ManagementDMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.10 255.255.255.255 Int_Management
http 192.168.100.100 255.255.255.255 ManagementDMZ
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect dcerpc
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 19
subscribe-to-alert-group configuration periodic monthly 19
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e4615c35b81b98269c7090fe6cd364a
: end
The following are the DCERPC Inspection result:
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: icmp, packet 8, lock fail 0, drop 0, reset-drop 0
Inspect: dcerpc, packet 73, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
The following is the ASDM Log (keep recycled):
013|16:34:52|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]
4|Aug 07 2013|16:34:46|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]
4|Aug 07 2013|16:34:43|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]
6|Aug 07 2013|16:34:42|302013|192.168.100.100|1903|10.10.100.100|135|Built inbound TCP connection 384 for ManagementDMZ:192.168.100.100/1903 (192.168.100.100/1903) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)
6|Aug 07 2013|16:34:42|302013|192.168.100.100|1902|10.10.100.100|135|Built inbound TCP connection 383 for ManagementDMZ:192.168.100.100/1902 (192.168.100.100/1902) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)
The following is the DCERPC Debug:
ciscoasa# debug dcerpc error
ciscoasa# debug dcerpc event
ciscoasa# debug dcerpc packet
ciscoasa# DCERPC-PKT: bind id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: request id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.
DCERPC-PKT: bind id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: ISystemActivator UUID found
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 1, if-uuid: 000001a0
DCERPC-PKT: bind_ack id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:1/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:1 valid:1
DCERPC-PKT: request with opnum:4 call_id:2.
DCERPC-PKT: response id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-EV: prop_len 48 limited to -4
DCERPC-PKT: updated checksum and forward packet.
DCERPC-PKT: request id:3 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:3 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.
DCERPC-PKT: alter_context id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: alter_context has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: alter_context with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: alter_context_resp id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-EV: alter_context_resp with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: request id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:1 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.
DCERPC-PKT: bind id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.
DCERPC-PKT: bind id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.
ciscoasa# DCERPC-PKT: bind id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.
DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.
DCERPC-EV: bind with ctx_num:1
DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4
DCERPC-PKT: bind_ack id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.
DCERPC-EV: bind_ack with ctxnum_result:1
DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04
DCERPC-PKT: auth id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.
DCERPC-PKT: request id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.
DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1
DCERPC-PKT: response id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.
Attached is also the wireshark captured packets.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2014 03:21 PM
Any luck with this Zhongqi Li? I'm trying to do something similar now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2014 11:09 AM
m also facing same issue... have you succeed to resolved the same???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
