11-13-2014 12:31 AM - edited 03-11-2019 10:04 PM
Hello, I have a trouble with OPC protocol on cisco ASA 5505. I'd like to ask for help: we need to flow only OPC protocol(based on DCOM and MS RPC) through the ASA 5505 K8. Do you have any solutions?
I will be grateful for help.
Solved! Go to Solution.
11-13-2014 07:39 PM
According to my knowledge cisco asa can only inspect below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is
"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"
And i'm afraid we can't create an inspection policy for custom applications.
ASA1(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
sqlnet
sunrpc
tftp
waas
xdmcp
This is how it works (excerpts from the link mentioned at the bottom)
Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.
Step 2 The ASA, located between the client and EPM server, intercepts the communication.
Step 3 The EPM server indicates the port number on which the DCERPC service is available.
Step 4 The ASA opens a pinhole for that DCERPC service
Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.
Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.
You might already have it but in case
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html
11-13-2014 05:07 AM
Hi PelekhovlS,
Could you please explain your problem in detail , what issue exactly you are facing with ASA so that we can guide you.
11-13-2014 05:05 PM
Hi murali438,
We have server with OPC server machine then ASA 5505 then OPC client machine. Our security departament insists to permit only OPC traffic between OPC-server and OPC-client.
OPC protocol uses dinamic windows port range( winxp 1025-5000, vista+ 49192- 65535) and 135 port as endpoint mapper. It means that after connection to server to 135 port endpoint mapper(at server) chooses random port to OPC communication iside of dinamic range and then server and client communicate via that random port.Our security departament forbids just to open this dinamic ranges on ASA 5505 because it's a big security hole. Configuring server matchine to limit dinamic range does not work correctly. Is there a way or built-in inspection( I heard about DCEPRC, is that a solution?) to repmit only OPC traffic?
11-13-2014 07:39 PM
According to my knowledge cisco asa can only inspect below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is
"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"
And i'm afraid we can't create an inspection policy for custom applications.
ASA1(config-pmap-c)# inspect ?
mpf-policy-map-class mode commands/options:
ctiqbe
dcerpc
dns
esmtp
ftp
gtp
h323
http
icmp
ils
im
ip-options
ipsec-pass-thru
ipv6
mgcp
mmp
netbios
pptp
rsh
rtsp
sip
skinny
snmp
sqlnet
sunrpc
tftp
waas
xdmcp
This is how it works (excerpts from the link mentioned at the bottom)
Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.
Step 2 The ASA, located between the client and EPM server, intercepts the communication.
Step 3 The EPM server indicates the port number on which the DCERPC service is available.
Step 4 The ASA opens a pinhole for that DCERPC service
Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.
Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.
You might already have it but in case
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html
12-09-2014 05:49 PM
Thanks a lot for your help.
12-09-2014 10:42 PM
your welcome !
Please mark the posts as correct / rate if it helped or solved your problem.
Thanks
Murali
10-12-2017 07:05 AM
Hi, were you able to establish OPC DA, HDA, A&E with DCE RPC inspection?
11-19-2014 06:32 PM
Hi
You might want to look at OPC Tunnellers. They are useful for getting around firewall issues.
Thanks
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: