I am planning ASA DCERPC inspect implementation to allow communications between two domain controllers that use RPC EPM (endpoint mapper) traffic.
To ensure that the two endpoints (Dom Controllers) can trust the identity of each other, we want to implement IPSEC AH on the communication between the two nodes. IPSEC AH allows us to create a secure authentication mechanism while leaving the payload un-encrypted.
*) has anyone experience with using DCERPC inspects?
*) has anyone experience with of knows if the DCERPC inspects are supported on IPSEC AH protected traffic?
Personally, I would rather use certificate (either from an internal CA server or purchased from a registered CA vendor) for authentication, if you really want to enforce the identity of the respective peers. Furthermore, based on what I know, ESP is much more secured than AH.
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
Thanks for your suggestions: I understand your remarks on the ESP and the added security. However in the setup it is not required and actually not wanted.
ESP will not give us insight in what is transmitted. ESP will encrypt the data therefore invalidating the ASA to inspect (and perform the pinholing). Also using ESP encryption the two endpoints would be allowed to route all data through the ASA without inspection.
We have a Microsoft AD domain controller on one side (less trusted) and a Micirosoft AD domain controller (trusted) on the other side of the ASA. What we try to perform is to open up the ASA for AD communications WITHOUT the necessary open high-ports for the RPC protocol.
That is where the DCERPC inspects come in handy.
To further secure data comms, IPSec AH would be useful: the endpoints can validate the identity of each other (mitigation of attempt to use IP spoofing or other tricks ).
At this moment I would like to know if there are people who tried this and have experience with this (inspect dcerpe with traffic using IPSEC AH) and if people have experience with standard inspect dcerpc.
Before I can test this, I would like to have some clue whether it has a chance to work. Testing is quite complex in our situation.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :