ASA DCERPC inspection not working properly

Unanswered Question
Dec 2nd, 2009

Hi there,

I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems.  My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.

I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.

I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from

class-map dcerpc

     match port tcp eq 135

policy-map type inspect dcerpc dcerpc_map


     endpoint-mapper lookup-operation

     timeout pinhole 0:05:00

policy-map global_policy

     class inspection_default

          inspect dcerpc dcerpc_map

It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.

Can anyone help me figure out what I'm doing wrong?   I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Wed, 12/02/2009 - 06:23

To start with the obvious: did you apply the policy ?

i.e. do you have:

service-policy global_policy global

or something similar (e.g. you can apply it to the DMZ interface instead of using it globally)?

If yes, can you check:

show service-policy

sh asp table classify domain inspect-dcerpc



branfarm1 Wed, 12/02/2009 - 06:27

Hi Herbert,

Thanks for the reply.  Yes -- I do have the policy applied.  I had the default inspection policy applied prior to configuring this and I simply wanted to add DCERPC inspection.

Kureli Sankar Tue, 08/10/2010 - 10:56

Pls. take a look at both the defects. First one is documentation only. Second one is an enhancement defect which is not resolved yet.

What you do see in "debug dcerpc event/packet/error"



This Discussion