We're having trouble determining whether the ZBF match protocol statements provide deep inspection. For example, the following doesn't appear to actually allow the ephemerous ports to open. Or at least in what I've found to try and test, attempting to make an RPC call across the firewall, the call fails with communication failure.
Router# show ip port msrpc
Default mapping: msrpc tcp port 135 system defined
Router# configure terminal
Router(config)# class-map type inspect match-any msrpc-cmap
Router(config-cmap)# match protocol msrpc
Router(config)# policy-map type inspect msrpc-pmap
Router(config-pmap)# class type inspect msrpc-cmap
Using PortQry, shows that the port is listening and dumps a bunch of data to the screen about the RPC End Point Mapper.
So I know that TCP port 135 is at least opened. But I don't think the port is being inspected at layer 7 and hence the End Point Mapper is allocating the ephemerous ports, but the firewall doesn't know to open the pinholes. Is there a way, other than simply statically opening the ports to pinhole the RPC EPM Ports? Amy I missing an obvious here?
I have noticed that in IOS-XR and IOS-XE DPI is available in the ALG for msrpc, for example:
I also have done this on an ASA before using the following:
policy-map type inspect dcerpc dcerpc_map
timeout pinhole 0:10:00
match port tcp eq 135
inspect dcerpc dcerpc-map
service-policy global-policy global
At this point, I'm thinking IOS doesn't support ALG functions except for whats actually listed in the 'show ip inspect ?' list:
aol Configure Firewall class-map for IM-AOL protocol
fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster...
gnutella Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...
h323 Configure Firewall class-map for H323 protocol
http Configure Firewall class-map for HTTP protocol
icq Configure Firewall class-map for IM-ICQ protocol
imap Configure Firewall class-map for IMAP protocol
kazaa2 Kazaa Version 2
msnmsgr Configure Firewall class-map for IM-MSN protocol
pop3 Configure Firewall class-map for POP3 protocol
sip Configure Firewall class-map for SIP protocol
smtp Configure Firewall class-map for SMTP protocol
sunrpc Configure Firewall class-map for RPC protocol
winmsgr Configure Firewall class-map for IM-WINMSGR protocol
ymsgr Configure Firewall class-map for IM-YAHOO protocol
It would also be nice if I could create a custom nbar match criteria and map a udp port number and timeout to the match. This could make a hell of an ALG within IOS.
Short of modifying TCP parameters / timeouts I haven't played with parameter maps much, but I did just see this in the reference: (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1091787)
parameter-map type protocol-info
To create or modify a protocol-specific parameter map and enter parameter-map type configuration mode, use the parameter-map type protocol-info command in global configuration mode. To delete a protocol-specific parameter map from the configuration, use the no form of this command.
parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name
no parameter-map type protocol-info [msrpc | sip | stun-ice] parameter-map-name
It also goes on to state that this command became available in 15.1(4)M, so I'll upgrade when I get a second and play with this rev. Hopefully the full inpsect will be available for MSRPC. (To include the EPM pinholes)
Note If you are inspecting an RPC protocol (that is, you specified the match protocol msrpc command in the Layer 4 class map), the Layer 7 Microsoft Remote Procedure Call (MSRPC) policy map is required.