I just installed version 8.0(3) on an ASA 5510 so that I could get support for dcerpc application inspection.
I added the following to the configuration (10.2.x.x on outside and 10.1.x.x on inside):
access-list OUTSIDE-IN permit tcp host 10.2.1.1 host 10.1.1.1 eq 135
I also added the default "inspect dcerpc" statement. After doing this the firewall began creating the dcerpc pinholes as I would expect. However, I still see some connections being denied on TCP ports that dcerpc is opening. For example, a "show conn" reveals the following connection (among others):
TCP outside 10.2.1.1:1288 inside 10.1.1.1:1116, idle 0:00:12, bytes 19433, flags UIOB
Yet I also see these log messages:
May 28 2008 13:28:31: %ASA-4-106023: Deny tcp src outside:10.2.1.1/4844 dst inside:10.1.1.1/1116 by access-group "OUTSIDE-IN" [0x502c4bfb, 0x0]
In other words, a machine on the outside is able to connect to an inside machine on TCP port 1116 as evidenced by the "show conn" command. Since the only explicitly allowed access is to port 135 (dcerpc), then I surmise that this must be a pinhole opened by the dcerpc inspection. However, when the same outside machine attempts to open another connection to port 1116 on the same inside machine, it is denied.
Is this by design? Will dcerpc inspection allow only a single connection to the destination port?
Also, does anyone know what the following dcerpc inspection parameters are for?
endpoint-mapper [epm-service-only] [lookup-operation]
The description for the epm-service-only parameter says "The epm-service-only keyword enforces endpoint mapper service during binding so that only its service traffic is processed". Ok. What does that mean? "The lookup-operation keyword enables the lookup operation of the endpoint mapper service". Not sure what that means either.