Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DCERPC Inspection Does not Seem to work (OPC Communication)

Here is my situation: I have an OPC server (10.10.100.100/24) sitting at the secure side of the ASA Firewall 5512 (IOS: asa861-2-smp-k8.bin and ASDM Image asdm-66114.bin) and an OPC Client (192.168.100.100/24) sitting at the unsecure side (DMZ) of the firewall. The OPC client uses the MicroSoft DCOM protocol to communicate. (Note: NO OPC Server and Client Configuration issue since the communication is fine when they are in the same network). Because of that, I first allow the inbound TCP traffic (TCP Port 135) from OPC Client to OPC server to pass through the firewall using ACL "ManagementDMZ_access_in" on the DMZ interface. Then I enabled DCERPC Inspection. Based on the DCERPC Inspection result, there is 73 DCERPC packets with 0 drop. However, the ASDM Log shows the data traffic from OPC client to OPC server with dynamic TCP port was blocked by the Inbound ACL, which I think it should be allowed to pass through with DCERPC Inspection. Did I miss anything or anyone has any hit? Your help is much appreciated!

The following is the running config:

ciscoasa# show run

: Saved

:

ASA Version 8.6(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

nameif ManagementDMZ

security-level 50

ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

nameif PINNetwork

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif Int_Management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa861-2-smp-k8.bin

ftp mode passive

object-group service DCOM tcp

port-object eq 135

access-list ManagementDMZ_access_in extended permit tcp host 192.168.100.100 host 10.10.100.100 object-group DCOM

pager lines 24

logging enable

logging asdm-buffer-size 512

logging asdm informational

mtu ManagementDMZ 1500

mtu PINNetwork 1500

mtu Int_Management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

access-group ManagementDMZ_access_in in interface ManagementDMZ

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.10 255.255.255.255 Int_Management

http 192.168.100.100 255.255.255.255 ManagementDMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect dcerpc

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 19

  subscribe-to-alert-group configuration periodic monthly 19

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4e4615c35b81b98269c7090fe6cd364a

: end

The following are the DCERPC Inspection result:

ciscoasa# show service-policy

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: ip-options _default_ip_options_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: netbios, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: rsh, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: esmtp _default_esmtp_map, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: sip , packet 0, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

      Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0

      Inspect: icmp, packet 8, lock fail 0, drop 0, reset-drop 0

      Inspect: dcerpc, packet 73, lock fail 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

The following is the ASDM Log (keep recycled):

013|16:34:52|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]

4|Aug 07 2013|16:34:46|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]

4|Aug 07 2013|16:34:43|106023|192.168.100.100|1904|10.10.100.100|50037|Deny tcp src ManagementDMZ:192.168.100.100/1904 dst PINNetwork:10.10.100.100/50037 by access-group "ManagementDMZ_access_in" [0x0, 0x0]

6|Aug 07 2013|16:34:42|302013|192.168.100.100|1903|10.10.100.100|135|Built inbound TCP connection 384 for ManagementDMZ:192.168.100.100/1903 (192.168.100.100/1903) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)

6|Aug 07 2013|16:34:42|302013|192.168.100.100|1902|10.10.100.100|135|Built inbound TCP connection 383 for ManagementDMZ:192.168.100.100/1902 (192.168.100.100/1902) to PINNetwork:10.10.100.100/135 (10.10.100.100/135)


The following is the DCERPC Debug:

ciscoasa# debug dcerpc error

ciscoasa# debug dcerpc event

ciscoasa# debug dcerpc packet

ciscoasa# DCERPC-PKT: bind id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: request id:1 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:1 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.

DCERPC-PKT: bind id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: ISystemActivator UUID found

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 1, if-uuid: 000001a0

DCERPC-PKT: bind_ack id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:1/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:2 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:1 valid:1

DCERPC-PKT: request with opnum:4 call_id:2.

DCERPC-PKT: response id:2 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-EV: prop_len 48 limited to -4

DCERPC-PKT: updated checksum and forward packet.

DCERPC-PKT: request id:3 - ManagementDMZ:192.168.100.100/1902 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:3 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1902.

DCERPC-PKT: alter_context id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: alter_context has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: alter_context with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: alter_context_resp id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-EV: alter_context_resp with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: request id:4 - ManagementDMZ:192.168.100.100/1903 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:1 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:4 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1903.

DCERPC-PKT: bind id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:5 - ManagementDMZ:192.168.100.100/1913 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:5 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1913.

DCERPC-PKT: bind id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:6 - ManagementDMZ:192.168.100.100/1918 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:6 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1918.

ciscoasa# DCERPC-PKT: bind id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.

DCERPC-EV: bind has non-epm uuid 99fcfec4-5260-101b-bbcb-00aa0021347a.

DCERPC-EV: bind with ctx_num:1

DCERPC-EV: retrieve ctx_id: 0, if-uuid: 99fcfec4

DCERPC-PKT: bind_ack id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.

DCERPC-EV: bind_ack with ctxnum_result:1

DCERPC-EV: ctxid/result:0/0 accepted, ack_reason:0 tsyn: 8a885d04

DCERPC-PKT: auth id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.

DCERPC-PKT: request id:7 - ManagementDMZ:192.168.100.100/1919 to PINNetwork:10.10.100.100/135.

DCERPC-EV: valid_ctxid: alt:0 ctxnum:1 j:0 val:0 valid:1

DCERPC-PKT: response id:7 - PINNetwork:10.10.100.100/135 to ManagementDMZ:192.168.100.100/1919.

Attached is also the wireshark captured packets.

2 REPLIES
New Member

DCERPC Inspection Does not Seem to work (OPC Communication)

Any luck with this Zhongqi Li? I'm trying to do something similar now.

New Member

DCERPC Inspection Does not Seem to work (OPC Communication)

m also facing same issue... have you succeed to resolved the same???

1048
Views
0
Helpful
2
Replies