I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems. My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.
I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.
I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1725357):
match port tcp eq 135
policy-map type inspect dcerpc dcerpc_map
timeout pinhole 0:05:00
inspect dcerpc dcerpc_map
It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.
Can anyone help me figure out what I'm doing wrong? I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.
Thanks in advance,