Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

ASA DCERPC inspection not working properly

Hi there,

I'm attempting to configure DCERPC inspection on an ASA5510 and I'm running into problems.  My goal is to allow connections from a host on a DMZ interface to a host on the inside interface.

I first added an ACL entry on the DMZ interface to allow connections from Host A to Host B on TCP/135.

I then added the following class-map/policy-map/service-policy commands (copied almost verbatim from http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1725357):

class-map dcerpc

     match port tcp eq 135

policy-map type inspect dcerpc dcerpc_map

     parameters

     endpoint-mapper lookup-operation

     timeout pinhole 0:05:00

policy-map global_policy

     class inspection_default

          inspect dcerpc dcerpc_map

It appears that the initial connection works, but I still see errors in the log about traffic being denied from Host A to Host B on TCP ports >1024.

Can anyone help me figure out what I'm doing wrong?   I've tried changing the policy-map to not use the endpoint mapper, but that had no effect.

Thanks in advance,

Brandon

Everyone's tags (3)
4 REPLIES
Cisco Employee

Re: ASA DCERPC inspection not working properly

To start with the obvious: did you apply the policy ?

i.e. do you have:

service-policy global_policy global

or something similar (e.g. you can apply it to the DMZ interface instead of using it globally)?

If yes, can you check:

show service-policy

sh asp table classify domain inspect-dcerpc

hth

Herbert

Bronze

Re: ASA DCERPC inspection not working properly

Hi Herbert,

Thanks for the reply.  Yes -- I do have the policy applied.  I had the default inspection policy applied prior to configuring this and I simply wanted to add DCERPC inspection.

Community Member

Re: ASA DCERPC inspection not working properly

Did you ever resolve this issue? I'm getting the same thing.

Cisco Employee

Re: ASA DCERPC inspection not working properly

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97787

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk97762

Pls. take a look at both the defects. First one is documentation only. Second one is an enhancement defect which is not resolved yet.

What you do see in "debug dcerpc event/packet/error"

-KS

4939
Views
0
Helpful
4
Replies
CreatePlease to create content