01-10-2014 03:33 AM - edited 03-11-2019 08:27 PM
Hi,
We are running Cisco ASA 2220 version 8.4(3).
In previous attempts we have been unable to firewall Microsoft DCOM communications and generally any Microsoft RPC comms although the last time we attempted we were running an older model of Cisco ASA.
Is it possible to use a policy map to correctly open the pinholes for Microsoft RPC communications? If so what version of IOS is required and would anyone have a configuration example?
Has anyone had success with this?
Many thanks in advance.
01-11-2014 05:39 AM
MS RPC has been supported for years with constant improvements and updates.
See here e.g. the 9.1 overview:
01-11-2014 05:41 AM
Addendum: Yes I used it a couple of times with different requirements, one time remeber I had to update the ASA to whatever to support DCERPC without endpointmapper (was some OWA frontend on a DMZ talking to a Exchange on the inside)
01-22-2014 05:35 AM
Hi,
So I setup a lab for testing... specifically a client server application called Microsoft Data Protection Manager (backup application) which makes use of DCOM for agent communications.
The lab consists of Cisco ASA with inside (security-level 100) and outside interface (security-level 0) and a DCOM client and server on each side of the firewall.
Interestingly when I use the dcerpc policy map and test using a simple dcom test application from Microsoft it is successful and correctly opens up the pinholes for DCOM.
As soon as I try to use Microsoft DPM the communications fail but I don't see any denied traffic so it must be hitting the rule but failing. I just wonder if some of the inbound traffic is not being inspected and being dropped rather than denied.
Any ideas how to troubleshoot further?
01-23-2014 03:14 AM
Just an update, I have another tool provided by Microsoft for testing dcerpc tcp 135 called portqry.
When I run this tool on the server located on the outside interface I get the following:
Deny TCP (no connection) from 192.168.254.10/50341 to 192.168.253.11/135 flags PSH ACK on interface outside
When I run this tool on the client located on the inside interface I get the following:
tcp flow from inside:192.168.253.11/58151 to outside:192.168.254.10/135 terminated by inspection engine, reason - proxy inspector disconnected, dropped packet.
Deny TCP (no connection) from 192.168.253.11/58173 to 192.168.254.10/135 flags PSH ACK on interface inside.
Any ideas?
02-13-2020 05:52 AM
Hi,
i am experiencing the very same problem on a production network and i cannot find a solution. I wonder if you have solved your situation.
Br,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide