11-03-2012 08:22 PM - edited 03-11-2019 05:18 PM
We're having trouble determining whether the ZBF match protocol statements provide deep inspection. For example, the following doesn't appear to actually allow the ephemerous ports to open. Or at least in what I've found to try and test, attempting to make an RPC call across the firewall, the call fails with communication failure.
Router# show ip port msrpc
Default mapping: msrpc tcp port 135 system defined
Router# configure terminal
Router(config)# class-map type inspect match-any msrpc-cmap
Router(config-cmap)# match protocol msrpc
Router(config-cmap)# exit
Router(config)# policy-map type inspect msrpc-pmap
Router(config-pmap)# class type inspect msrpc-cmap
Router(config-pmap-c)# inspect
Router(config-pmap-c)# end
Using PortQry, shows that the port is listening and dumps a bunch of data to the screen about the RPC End Point Mapper.
So I know that TCP port 135 is at least opened. But I don't think the port is being inspected at layer 7 and hence the End Point Mapper is allocating the ephemerous ports, but the firewall doesn't know to open the pinholes. Is there a way, other than simply statically opening the ports to pinhole the RPC EPM Ports? Amy I missing an obvious here?
I have noticed that in IOS-XR and IOS-XE DPI is available in the ALG for msrpc, for example:
http://www.cisco.com/en/US/docs/routers/asr1000/technical_references/asr1000alg_support.pdfhttp://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/fw-msrpc-supp.pdf
I also have done this on an ASA before using the following:
policy-map type inspect dcerpc dcerpc_map
timeout pinhole 0:10:00
!
class-map dcerpc
match port tcp eq 135
!
policy-map global-policy
class dcerpc
inspect dcerpc dcerpc-map
!
service-policy global-policy global
At this point, I'm thinking IOS doesn't support ALG functions except for whats actually listed in the 'show ip inspect ?' list:
aol Configure Firewall class-map for IM-AOL protocol
edonkey eDonkey
fasttrack FastTrack Traffic - KaZaA, Morpheus, Grokster...
gnutella Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus ...
h323 Configure Firewall class-map for H323 protocol
http Configure Firewall class-map for HTTP protocol
icq Configure Firewall class-map for IM-ICQ protocol
imap Configure Firewall class-map for IMAP protocol
kazaa2 Kazaa Version 2
msnmsgr Configure Firewall class-map for IM-MSN protocol
pop3 Configure Firewall class-map for POP3 protocol
sip Configure Firewall class-map for SIP protocol
smtp Configure Firewall class-map for SMTP protocol
sunrpc Configure Firewall class-map for RPC protocol
winmsgr Configure Firewall class-map for IM-WINMSGR protocol
ymsgr Configure Firewall class-map for IM-YAHOO protocol
Thoughts?
It would also be nice if I could create a custom nbar match criteria and map a udp port number and timeout to the match. This could make a hell of an ALG within IOS.