×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Firewalling Microsoft DCOM

Unanswered Question
Jan 10th, 2014
User Badges:

Hi,


We are running Cisco ASA 2220 version 8.4(3).

In previous attempts we have been unable to firewall Microsoft DCOM communications and generally any Microsoft RPC comms although the last time we attempted we were running an older model of Cisco ASA.


Is it possible to use a policy map to correctly open the pinholes for Microsoft RPC communications? If so what version of IOS is required and would anyone have a configuration example?


Has anyone had success with this?


Many thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m.kafka Sat, 01/11/2014 - 05:41
User Badges:
  • Bronze, 100 points or more

Addendum: Yes I used it a couple of times with different requirements, one time remeber I had to update the ASA to whatever to support DCERPC without endpointmapper (was some OWA frontend on a DMZ talking to a Exchange on the inside)

tekgem123 Wed, 01/22/2014 - 05:35
User Badges:

Hi,


So I setup a lab for testing... specifically a client server application called Microsoft Data Protection Manager (backup application) which makes use of DCOM for agent communications.

The lab consists of Cisco ASA with inside (security-level 100) and outside interface (security-level 0) and a DCOM client and server on each side of the firewall.


Interestingly when I use the dcerpc policy map and test using a simple dcom test application from Microsoft it is successful and correctly opens up the pinholes for DCOM.


As soon as I try to use Microsoft DPM the communications fail but I don't see any denied traffic so it must be hitting the rule but failing. I just wonder if some of the inbound traffic is not being inspected and being dropped rather than denied.


Any ideas how to troubleshoot further?

tekgem123 Thu, 01/23/2014 - 03:14
User Badges:

Just an update, I have another tool provided by Microsoft for testing dcerpc tcp 135 called portqry.


When I run this tool on the server located on the outside interface I get the following:

Deny TCP (no connection) from 192.168.254.10/50341 to 192.168.253.11/135 flags PSH ACK on interface outside


When I run this tool on the client located on the inside interface I get the following:

tcp flow from inside:192.168.253.11/58151 to outside:192.168.254.10/135 terminated by inspection engine, reason - proxy inspector disconnected, dropped packet.

Deny TCP (no connection) from 192.168.253.11/58173 to 192.168.254.10/135 flags PSH ACK on interface inside.


Any ideas?

Actions

This Discussion

Related Content