Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA inspects using IPsec AH

Hello,

I am planning ASA DCERPC inspect implementation to allow communications between two domain controllers that use RPC EPM (endpoint mapper) traffic.

To ensure that the two endpoints (Dom Controllers) can trust the identity of each other, we want to implement IPSEC AH on the communication between the two nodes. IPSEC AH allows us to create a secure authentication mechanism while leaving the payload un-encrypted.

My questions:

*) has anyone experience with using DCERPC inspects?

*) has anyone experience with of knows if the DCERPC inspects are supported on IPSEC AH protected traffic?

Thanks,

Bas Kokken

Everyone's tags (4)
2 REPLIES

Re: ASA inspects using IPsec AH

Hi Bro

Personally, I have never done this before, but your requirement doesn’t seem all that complicated after all. Have you tried the sample config shown below?

!

policy-map type inspect dcerpc PMI_TEST

parameters

  timeout pinhole 0:10:00

!

class-map CM_TEST

match access-list ACL_TEST

!

policy-map PM_TEST

class CM_TEST

  inspect dcerpc PMI_TEST

!

service-policy PM_TEST interface outside

!

access-list ACL_TEST permit ah interface outside host 202.118.10.17

access-list ACL_TEST permit ah interface host 202.118.10.17 outside

!

Personally, I would rather use certificate (either from an internal CA server or purchased from a registered CA vendor) for authentication, if you really want to enforce the identity of the respective peers. Furthermore, based on what I know, ESP is much more secured than AH.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

ASA inspects using IPsec AH

Hi Ramraj,

Thanks for your suggestions: I understand your remarks on the ESP and the added security. However in the setup it is not required and actually not wanted.

ESP will not give us insight in what is transmitted. ESP will encrypt the data therefore invalidating the ASA to inspect (and perform the pinholing). Also using ESP encryption the two endpoints would be allowed to route all data through the ASA without inspection.

We have a Microsoft AD domain controller on one side (less trusted) and a Micirosoft AD domain controller (trusted) on the other side of the ASA. What we try to perform is to open up the ASA for AD communications WITHOUT the necessary open high-ports for the RPC protocol.

That is where the DCERPC inspects come in handy.

To further secure data comms, IPSec AH would be useful: the endpoints can validate the identity of each other (mitigation of attempt to use IP spoofing or other tricks ).

At this moment I would like to know if there are people who tried this and have experience with this (inspect dcerpe with traffic using IPSEC AH) and if people have experience with standard inspect dcerpc.

Before I can test this, I would like to have some clue whether it has a chance to work. Testing is quite complex in our situation.

Thanks,

Bas

615
Views
0
Helpful
2
Replies
CreatePlease to create content