cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5586
Views
1
Helpful
7
Replies

How to permit only OPC protocol traffic through CISCO ASA 5505

PelekhovIS
Level 1
Level 1

Hello, I have a trouble with OPC protocol  on cisco ASA 5505. I'd like to ask for help: we need to flow only OPC protocol(based on DCOM and MS RPC) through the ASA 5505 K8. Do you have any solutions?

 

I will be grateful for help.

1 Accepted Solution

Accepted Solutions

According to my knowledge cisco asa can only inspect  below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is

"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"

And i'm afraid we can't create an inspection policy for custom applications.

ASA1(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe
  dcerpc
  dns
  esmtp
  ftp
  gtp
  h323
  http
  icmp
  ils
  im
  ip-options
  ipsec-pass-thru
  ipv6
  mgcp
  mmp
  netbios
  pptp
  rsh
  rtsp
  sip
  skinny
  snmp
  sqlnet
  sunrpc
  tftp
  waas
  xdmcp

This is how it works (excerpts from the link mentioned at the bottom)

Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.

Step 2 The ASA, located between the client and EPM server, intercepts the communication.

Step 3 The EPM server indicates the port number on which the DCERPC service is available.

Step 4 The ASA opens a pinhole for that DCERPC service

Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.

 

 

Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.

You might already have it but in case

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html

 

 

View solution in original post

7 Replies 7

Murali
Level 1
Level 1

Hi PelekhovlS,

Could you please explain your problem in detail , what issue exactly you are facing with ASA so that we can guide you.

Hi murali438,

We have server with OPC server machine then ASA 5505 then OPC client machine. Our security departament insists to permit only OPC traffic between OPC-server and OPC-client.

OPC protocol uses dinamic windows port range( winxp 1025-5000, vista+ 49192- 65535) and 135 port as endpoint mapper. It means that  after connection to server to 135 port endpoint mapper(at server) chooses random port to OPC communication iside of dinamic range and then server and client communicate via that random port.Our security departament forbids just  to open this dinamic ranges on ASA 5505 because it's a big security hole. Configuring server matchine to limit dinamic range does not work correctly. Is there a way or built-in inspection( I heard about DCEPRC, is that a solution?) to repmit only OPC traffic?

According to my knowledge cisco asa can only inspect  below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is

"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"

And i'm afraid we can't create an inspection policy for custom applications.

ASA1(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe
  dcerpc
  dns
  esmtp
  ftp
  gtp
  h323
  http
  icmp
  ils
  im
  ip-options
  ipsec-pass-thru
  ipv6
  mgcp
  mmp
  netbios
  pptp
  rsh
  rtsp
  sip
  skinny
  snmp
  sqlnet
  sunrpc
  tftp
  waas
  xdmcp

This is how it works (excerpts from the link mentioned at the bottom)

Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.

Step 2 The ASA, located between the client and EPM server, intercepts the communication.

Step 3 The EPM server indicates the port number on which the DCERPC service is available.

Step 4 The ASA opens a pinhole for that DCERPC service

Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.

 

 

Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.

You might already have it but in case

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html

 

 

Thanks a lot for your help.

your welcome !

 

Please mark the posts as correct / rate if it helped or solved your problem.

 

Thanks

Murali

Hi, were you able to establish OPC DA, HDA, A&E with DCE RPC inspection?

Hi

You might want to look at OPC Tunnellers. They are useful for getting around firewall issues.

 

Thanks

John

**Please rate posts you find helpful**
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: