I have a 2921 acting as the HUB of a DMVPN deployment. I would like to apply an inbound acl to the tunnel interface to only allow the minimum ports necessary for the remote sites to communicate back to the data center. This includes Active Directory traffic. I'm very green with security, especially on this 2921. I've done limited research on getting AD traffic through a firewall and my understanding of this is that the host communicates with the AD controller over a well-known port (mapper service) which then instructs the client to use a randomly generated port in a very large range for future communication with the AD controller. This would then mean that the 2921 would need to be able to inspect this first traffic flow and then dynamically open up just the minimum port(s) required to allow the host to talk to the AD controller. Is my 2921 with the version/feature set its running capable of doing this? If not, can it be made capable to do this with additional hw and/or licensing?
You mean to be able to inpect trafffic and open the required pinholes?
It is, you can run the ZBFW in this box with not a problem at all,
I've been playing around with the "ip inspect" command and I've got things working partially. There's a large list of well-known protocols available with the ip inspect command. However, I cannot find the one for endpoint mapper (tcp/135). How do I define endpoint mapper in an ip inspect profile?
So running CBAC.
Here is how to create a port-map definition to inspect traffic:
The example will use RDP:
ip port-map user-rdp3389 port tcp 3389
Then you could match the traffic and inspected!
In your case just use tcp 135
Remember to rate all of the helpful posts