Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA and Dynamic Opening of MS-RPC Ports

Hi team

can anyone shed light on whether Cisco ASA 8.0 and higher can support MS-RPC dynamic port assignment. Instead of opening High Ports 1025-65535 for MS-RPC Services, does ASA has an Application inspection and Predefined Service for MS-RPC-ANY, whereby it intelligently allows Client-Server connection using pin-holes and closes dynamically.

2 REPLIES
Cisco Employee

Re: ASA and Dynamic Opening of MS-RPC Ports

Yes it does. Pls. read here:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1725357

Sample config is there in the above link as well.

Since RPC use Random ports

 

Since RPC use Random ports above 1024, need to be pin holed. RPC Endpoint Mapper (EPM) running on TCP135 will be queried for random ports. So that tcp 135 should be allowed in ACL and the below policy map will be configured to allow RPC under global_policy map.

 

 

 policy-map type inspect dcerpc dcerpc_map
 parameters
 timeout pinhole 0:10:00


 class-map dcerpc
 match port tcp eq 135


policy-map global_policy
 class dcerpc
  inspect dcerpc dcerpc_map

verify the above using #show run policy map

Satheesh CCIE# 38651 R&S

9319
Views
10
Helpful
2
Replies
CreatePlease to create content