Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewalling Microsoft DCOM

Hi,

We are running Cisco ASA 2220 version 8.4(3).

In previous attempts we have been unable to firewall Microsoft DCOM communications and generally any Microsoft RPC comms although the last time we attempted we were running an older model of Cisco ASA.

Is it possible to use a policy map to correctly open the pinholes for Microsoft RPC communications? If so what version of IOS is required and would anyone have a configuration example?

Has anyone had success with this?

Many thanks in advance.

Everyone's tags (7)
4 REPLIES
Bronze

Firewalling Microsoft DCOM

MS RPC has been supported for years with constant improvements and updates.

See here e.g. the 9.1 overview:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_mgmt.html#wp1478733

Bronze

Re: Firewalling Microsoft DCOM

Addendum: Yes I used it a couple of times with different requirements, one time remeber I had to update the ASA to whatever to support DCERPC without endpointmapper (was some OWA frontend on a DMZ talking to a Exchange on the inside)

Community Member

Firewalling Microsoft DCOM

Hi,

So I setup a lab for testing... specifically a client server application called Microsoft Data Protection Manager (backup application) which makes use of DCOM for agent communications.

The lab consists of Cisco ASA with inside (security-level 100) and outside interface (security-level 0) and a DCOM client and server on each side of the firewall.

Interestingly when I use the dcerpc policy map and test using a simple dcom test application from Microsoft it is successful and correctly opens up the pinholes for DCOM.

As soon as I try to use Microsoft DPM the communications fail but I don't see any denied traffic so it must be hitting the rule but failing. I just wonder if some of the inbound traffic is not being inspected and being dropped rather than denied.

Any ideas how to troubleshoot further?

Community Member

Re: Firewalling Microsoft DCOM

Just an update, I have another tool provided by Microsoft for testing dcerpc tcp 135 called portqry.

When I run this tool on the server located on the outside interface I get the following:

Deny TCP (no connection) from 192.168.254.10/50341 to 192.168.253.11/135 flags PSH ACK on interface outside

When I run this tool on the client located on the inside interface I get the following:

tcp flow from inside:192.168.253.11/58151 to outside:192.168.254.10/135 terminated by inspection engine, reason - proxy inspector disconnected, dropped packet.

Deny TCP (no connection) from 192.168.253.11/58173 to 192.168.254.10/135 flags PSH ACK on interface inside.

Any ideas?

736
Views
0
Helpful
4
Replies
CreatePlease to create content