Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

DCERPC inspection

Hi Everyone,

I wonder if anyone could shed some light on this please? I have an opinion but would really appreciate any other views, please.

ASA 8.1(2)

There is an integration project underway between two entities, who have their AD servers running on different DCERPC ports. We are considering enabling inspection on the ASA that separates the two

Site 1 - Customer has 2008 AD servers statically defined to respond with DCERPC ports between 50100 – 50400. This is reflected in the security policy to permission this range explicitly with no inspection enabled.

Site 2 - Servers rely on default DCERPC ports that are not defined explicitly but are nailed up based on the FW inspection ( TCP high ports, but not sure what just yet)

So, the preference for implementation would be to:

  • Apply DCERPC inspection globally
  • Maintain the 50100 – 50400 port range on the AD servers, however not permission these explicitly on the FW and rely on inspection to permission.
  • This solution minimises the ports ranges permissioned for AD comms.

-        How would this affect existing traffic using port 135 (RPC data)? My opinion would be to add an inspection policy that covers the statically defined      ports, as outgoing RPC calls would be dealt with by the inspection policy.

         What do you guys reckon?

         KR

         Ali


126
Views
0
Helpful
0
Replies
CreatePlease to create content