Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Zone-based Firewall and Applicaiton Inspect

cstep
Level 1
Level 1

‎11-03-2012 08:22 PM - edited ‎03-11-2019 05:18 PM

We're having trouble determining whether the ZBF match protocol statements provide deep inspection. For example, the following doesn't appear to actually allow the ephemerous ports to open. Or at least in what I've found to try and test, attempting to make an RPC call across the firewall, the call fails with communication failure.

Router# show ip port msrpc

Default mapping:  msrpc                tcp port 135                        system defined

Router# configure terminal

Router(config)# class-map type inspect match-any msrpc-cmap

Router(config-cmap)# match protocol msrpc

Router(config-cmap)# exit

Router(config)# policy-map type inspect msrpc-pmap

Router(config-pmap)# class type inspect msrpc-cmap

Router(config-pmap-c)# inspect

Router(config-pmap-c)# end

Using PortQry, shows that the port is listening and dumps a bunch of data to the screen about the RPC End Point Mapper.

So I know that TCP port 135 is at least opened. But I don't think the port is being inspected at layer 7 and hence the End Point Mapper is allocating the ephemerous ports, but the firewall doesn't know to open the pinholes. Is there a way, other than simply statically opening the ports to pinhole the RPC EPM Ports? Amy I missing an obvious here?

I have noticed that in IOS-XR and IOS-XE DPI is available in the ALG for msrpc, for example:

http://www.cisco.com/en/US/docs/routers/asr1000/technical_references/asr1000alg_support.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/fw-msrpc-supp.pdf

I also have done this on an ASA before using the following:

policy-map type inspect dcerpc dcerpc_map

timeout pinhole 0:10:00

!

class-map dcerpc

match port tcp eq 135

!

policy-map global-policy

class dcerpc

  inspect dcerpc dcerpc-map

!

service-policy global-policy global

At this point, I'm thinking IOS doesn't support ALG functions except for whats actually listed in the 'show ip inspect ?' list:

aol           Configure Firewall class-map for IM-AOL protocol

edonkey       eDonkey

fasttrack     FastTrack Traffic - KaZaA, Morpheus, Grokster...

gnutella      Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...

h323          Configure Firewall class-map for H323 protocol

http          Configure Firewall class-map for HTTP protocol

icq           Configure Firewall class-map for IM-ICQ protocol

imap          Configure Firewall class-map for IMAP protocol

kazaa2        Kazaa Version 2

msnmsgr       Configure Firewall class-map for IM-MSN protocol

pop3          Configure Firewall class-map for POP3 protocol

sip           Configure Firewall class-map for SIP protocol

smtp          Configure Firewall class-map for SMTP protocol

sunrpc        Configure Firewall class-map for RPC protocol

winmsgr       Configure Firewall class-map for IM-WINMSGR protocol

ymsgr         Configure Firewall class-map for IM-YAHOO protocol

Thoughts?

It would also be nice if I could create a custom nbar match criteria and map a udp port number and timeout to the match. This could make a hell of an ALG within IOS.

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic