ASA and Dynamic Opening of MS-RPC Ports

Unanswered Question
Jun 18th, 2009

Hi team

can anyone shed light on whether Cisco ASA 8.0 and higher can support MS-RPC dynamic port assignment. Instead of opening High Ports 1025-65535 for MS-RPC Services, does ASA has an Application inspection and Predefined Service for MS-RPC-ANY, whereby it intelligently allows Client-Server connection using pin-holes and closes dynamically.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Kirupairajah Sa... Thu, 04/24/2014 - 01:37


Since RPC use Random ports above 1024, need to be pin holed. RPC Endpoint Mapper (EPM) running on TCP135 will be queried for random ports. So that tcp 135 should be allowed in ACL and the below policy map will be configured to allow RPC under global_policy map.



 policy-map type inspect dcerpc dcerpc_map
 timeout pinhole 0:10:00

 class-map dcerpc
 match port tcp eq 135

policy-map global_policy
 class dcerpc
  inspect dcerpc dcerpc_map

verify the above using #show run policy map

Satheesh CCIE# 38651 R&S


This Discussion