ASA handling of dynmic RPC ports? if yes how?

Unanswered Question
Jun 20th, 2010

One of my client has upgraded their Microsoft as well as network infrastructure. Now exchange 2010 and windows server 2008 would in DMZs.  The
Microsoft consultant inform that the windows client on inside network  will be going to use RPC to communicate with servers on DMZ for several
communication like when client goes to authenticate on with LDAP, they  will communicate on random ports.

Now the requirement is not to use *any* clause in ACL. Is there a way  that i can cater dynamic ports  using ILS or something else?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Sun, 06/20/2010 - 03:35

Omair,

What port is the initial RPC exchange done on.

Truth be told if the newly allocated port is not communicated within a standard stream ASA will not inspect it and will not open a port dynamically since it does not know which ports I should open.

We have sunrpc inspection but it only inspects tcp/111 AFAIR.

We also have dcerpc inspection ... tcp/135.

Let me know how it goes...

Marcin

abu_khair Mon, 06/21/2010 - 05:15

Hi Marcin:

I am having problem with DCERPC.  We have two FWSM Firewalls. FWSM Version is 4.0(11) with active/standby failover configuration. We are using the default DCERPC inspection as the following:

class-map inspection_default

description Default Inspection

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dcerpc

!

service-policy global_policy global

TCP/135 is allowed but the inspection is not working as expected since some ports are getting blocked:

2|Jun 21 2010 13:15:00|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4780) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:01|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.15(2554) -> SRVRS/10.1.0.20(1026) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:05|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4781) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:10|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4783) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:14|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.18(1413) -> SRVRS/10.1.0.53(1073) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:15|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4784) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:20|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4785) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:23|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.15(2558) -> SRVRS/10.1.0.20(1026) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:25|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4786) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

2|Jun 21 2010 13:15:30|106100: access-list untrusted_access_in denied tcp untrusted/10.30.8.19(4788) -> SRVRS/10.1.0.15(34509) hit-cnt 1 (first hit) [0x1311d5e7, 0x0]

I have tried to customized the DCERPC inspection but it did not work:

policy-map type inspect dcerpc DCEPRC

description DCERPC

parameters

  endpoint-mapper lookup-operation timeout 0:15:00

  timeout pinhole 0:15:00

would you please advice?

Actions

This Discussion