Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA inspects using IPsec AH


I am planning ASA DCERPC inspect implementation to allow communications between two domain controllers that use RPC EPM (endpoint mapper) traffic.

To ensure that the two endpoints (Dom Controllers) can trust the identity of each other, we want to implement IPSEC AH on the communication between the two nodes. IPSEC AH allows us to create a secure authentication mechanism while leaving the payload un-encrypted.

My questions:

*) has anyone experience with using DCERPC inspects?

*) has anyone experience with of knows if the DCERPC inspects are supported on IPSEC AH protected traffic?


Bas Kokken

Everyone's tags (4)

Re: ASA inspects using IPsec AH

Hi Bro

Personally, I have never done this before, but your requirement doesn’t seem all that complicated after all. Have you tried the sample config shown below?


policy-map type inspect dcerpc PMI_TEST


  timeout pinhole 0:10:00


class-map CM_TEST

match access-list ACL_TEST


policy-map PM_TEST

class CM_TEST

  inspect dcerpc PMI_TEST


service-policy PM_TEST interface outside


access-list ACL_TEST permit ah interface outside host

access-list ACL_TEST permit ah interface host outside


Personally, I would rather use certificate (either from an internal CA server or purchased from a registered CA vendor) for authentication, if you really want to enforce the identity of the respective peers. Furthermore, based on what I know, ESP is much more secured than AH.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

ASA inspects using IPsec AH

Hi Ramraj,

Thanks for your suggestions: I understand your remarks on the ESP and the added security. However in the setup it is not required and actually not wanted.

ESP will not give us insight in what is transmitted. ESP will encrypt the data therefore invalidating the ASA to inspect (and perform the pinholing). Also using ESP encryption the two endpoints would be allowed to route all data through the ASA without inspection.

We have a Microsoft AD domain controller on one side (less trusted) and a Micirosoft AD domain controller (trusted) on the other side of the ASA. What we try to perform is to open up the ASA for AD communications WITHOUT the necessary open high-ports for the RPC protocol.

That is where the DCERPC inspects come in handy.

To further secure data comms, IPSec AH would be useful: the endpoints can validate the identity of each other (mitigation of attempt to use IP spoofing or other tricks ).

At this moment I would like to know if there are people who tried this and have experience with this (inspect dcerpe with traffic using IPSEC AH) and if people have experience with standard inspect dcerpc.

Before I can test this, I would like to have some clue whether it has a chance to work. Testing is quite complex in our situation.



CreatePlease to create content