Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
3
Helpful
1
Replies

"inspect dcerpc" question

jedavis
Level 4
Level 4

‎05-28-2008 10:43 AM - edited ‎03-11-2019 05:51 AM

I just installed version 8.0(3) on an ASA 5510 so that I could get support for dcerpc application inspection.

I added the following to the configuration (10.2.x.x on outside and 10.1.x.x on inside):

access-list OUTSIDE-IN permit tcp host 10.2.1.1 host 10.1.1.1 eq 135

I also added the default "inspect dcerpc" statement. After doing this the firewall began creating the dcerpc pinholes as I would expect. However, I still see some connections being denied on TCP ports that dcerpc is opening. For example, a "show conn" reveals the following connection (among others):

TCP outside 10.2.1.1:1288 inside 10.1.1.1:1116, idle 0:00:12, bytes 19433, flags UIOB

Yet I also see these log messages:

May 28 2008 13:28:31: %ASA-4-106023: Deny tcp src outside:10.2.1.1/4844 dst inside:10.1.1.1/1116 by access-group "OUTSIDE-IN" [0x502c4bfb, 0x0]

In other words, a machine on the outside is able to connect to an inside machine on TCP port 1116 as evidenced by the "show conn" command. Since the only explicitly allowed access is to port 135 (dcerpc), then I surmise that this must be a pinhole opened by the dcerpc inspection. However, when the same outside machine attempts to open another connection to port 1116 on the same inside machine, it is denied.

Is this by design? Will dcerpc inspection allow only a single connection to the destination port?

Also, does anyone know what the following dcerpc inspection parameters are for?

endpoint-mapper [epm-service-only] [lookup-operation]

The description for the epm-service-only parameter says "The epm-service-only keyword enforces endpoint mapper service during binding so that only its service traffic is processed". Ok. What does that mean? "The lookup-operation keyword enables the lookup operation of the endpoint mapper service". Not sure what that means either.

TIA

Labels:
0 Helpful
1 Reply 1

smahbub
Level 6
Level 6

‎06-03-2008 12:33 PM

To enable inspection of DCERPC traffic destined for the endpoint-mapper, use the inspect dcerpc command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.

inspect dcerpc [map_name]

no inspect dceprc [map_name]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card