Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
0
Helpful
2
Replies

ASA inspects using IPsec AH

baskokken
Level 1
Level 1

‎08-31-2012 02:02 AM - edited ‎03-11-2019 04:48 PM

Hello,

I am planning ASA DCERPC inspect implementation to allow communications between two domain controllers that use RPC EPM (endpoint mapper) traffic.

To ensure that the two endpoints (Dom Controllers) can trust the identity of each other, we want to implement IPSEC AH on the communication between the two nodes. IPSEC AH allows us to create a secure authentication mechanism while leaving the payload un-encrypted.

My questions:

*) has anyone experience with using DCERPC inspects?

*) has anyone experience with of knows if the DCERPC inspects are supported on IPSEC AH protected traffic?

Thanks,

Bas Kokken

Labels:
0 Helpful
2 Replies 2

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎09-01-2012 08:50 AM

Hi Bro

Personally, I have never done this before, but your requirement doesn’t seem all that complicated after all. Have you tried the sample config shown below?

!

policy-map type inspect dcerpc PMI_TEST

parameters

  timeout pinhole 0:10:00

!

class-map CM_TEST

match access-list ACL_TEST

!

policy-map PM_TEST

class CM_TEST

  inspect dcerpc PMI_TEST

!

service-policy PM_TEST interface outside

!

access-list ACL_TEST permit ah interface outside host 202.118.10.17

access-list ACL_TEST permit ah interface host 202.118.10.17 outside

!

Personally, I would rather use certificate (either from an internal CA server or purchased from a registered CA vendor) for authentication, if you really want to enforce the identity of the respective peers. Furthermore, based on what I know, ESP is much more secured than AH.

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

baskokken
Level 1
Level 1
In response to Ramraj Sivagnanam Sivajanam

‎09-05-2012 05:44 AM

Hi Ramraj,

Thanks for your suggestions: I understand your remarks on the ESP and the added security. However in the setup it is not required and actually not wanted.

ESP will not give us insight in what is transmitted. ESP will encrypt the data therefore invalidating the ASA to inspect (and perform the pinholing). Also using ESP encryption the two endpoints would be allowed to route all data through the ASA without inspection.

We have a Microsoft AD domain controller on one side (less trusted) and a Micirosoft AD domain controller (trusted) on the other side of the ASA. What we try to perform is to open up the ASA for AD communications WITHOUT the necessary open high-ports for the RPC protocol.

That is where the DCERPC inspects come in handy.

To further secure data comms, IPSec AH would be useful: the endpoints can validate the identity of each other (mitigation of attempt to use IP spoofing or other tricks ).

At this moment I would like to know if there are people who tried this and have experience with this (inspect dcerpe with traffic using IPSEC AH) and if people have experience with standard inspect dcerpc.

Before I can test this, I would like to have some clue whether it has a chance to work. Testing is quite complex in our situation.

Thanks,

Bas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card