Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to permit only OPC protocol traffic through CISCO ASA 5505

Hello, I have a trouble with OPC protocol  on cisco ASA 5505. I'd like to ask for help: we need to flow only OPC protocol(based on DCOM and MS RPC) through the ASA 5505 K8. Do you have any solutions?

 

I will be grateful for help.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

According to my knowledge

According to my knowledge cisco asa can only inspect  below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is

"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"

And i'm afraid we can't create an inspection policy for custom applications.

ASA1(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe
  dcerpc
  dns
  esmtp
  ftp
  gtp
  h323
  http
  icmp
  ils
  im
  ip-options
  ipsec-pass-thru
  ipv6
  mgcp
  mmp
  netbios
  pptp
  rsh
  rtsp
  sip
  skinny
  snmp
  sqlnet
  sunrpc
  tftp
  waas
  xdmcp

This is how it works (excerpts from the link mentioned at the bottom)

Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.

Step 2 The ASA, located between the client and EPM server, intercepts the communication.

Step 3 The EPM server indicates the port number on which the DCERPC service is available.

Step 4 The ASA opens a pinhole for that DCERPC service

Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.

 

 

Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.

You might already have it but in case

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html

 

 

7 REPLIES
New Member

Hi PelekhovlS,Could you

Hi PelekhovlS,

Could you please explain your problem in detail , what issue exactly you are facing with ASA so that we can guide you.

New Member

Hi murali438,We have server

Hi murali438,

We have server with OPC server machine then ASA 5505 then OPC client machine. Our security departament insists to permit only OPC traffic between OPC-server and OPC-client.

OPC protocol uses dinamic windows port range( winxp 1025-5000, vista+ 49192- 65535) and 135 port as endpoint mapper. It means that  after connection to server to 135 port endpoint mapper(at server) chooses random port to OPC communication iside of dinamic range and then server and client communicate via that random port.Our security departament forbids just  to open this dinamic ranges on ASA 5505 because it's a big security hole. Configuring server matchine to limit dinamic range does not work correctly. Is there a way or built-in inspection( I heard about DCEPRC, is that a solution?) to repmit only OPC traffic?

New Member

According to my knowledge

According to my knowledge cisco asa can only inspect  below applications (i don't know about latest model but this is on 8.4). DCEPRC might be pefect solution for you but the catch is

"DCERPC inspection only supports communication between an EPM server and clients to open pinholes through the ASA. Clients using RPC communication that does not use an EPM server is not supported with DCERPC inspection"

And i'm afraid we can't create an inspection policy for custom applications.

ASA1(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe
  dcerpc
  dns
  esmtp
  ftp
  gtp
  h323
  http
  icmp
  ils
  im
  ip-options
  ipsec-pass-thru
  ipv6
  mgcp
  mmp
  netbios
  pptp
  rsh
  rtsp
  sip
  skinny
  snmp
  sqlnet
  sunrpc
  tftp
  waas
  xdmcp

This is how it works (excerpts from the link mentioned at the bottom)

Step 1 A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.

Step 2 The ASA, located between the client and EPM server, intercepts the communication.

Step 3 The EPM server indicates the port number on which the DCERPC service is available.

Step 4 The ASA opens a pinhole for that DCERPC service

Step 5 Using that pinhole, the client attempts to connect to the DCERPC service on the indicated port.

 

 

Step 6 The ASA detects that the connection is permitted and creates a secondary connection to the server instance providing the DCERPC service. When creating the secondary connection, the ASA applies NAT if necessary.

You might already have it but in case

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html

 

 

New Member

Thanks a lot for your help.

Thanks a lot for your help.

New Member

your welcome ! Please mark

your welcome !

 

Please mark the posts as correct / rate if it helped or solved your problem.

 

Thanks

Murali

New Member

Re: Thanks a lot for your help.

Hi, were you able to establish OPC DA, HDA, A&E with DCE RPC inspection?

Silver

HiYou might want to look at

Hi

You might want to look at OPC Tunnellers. They are useful for getting around firewall issues.

 

Thanks

John

1020
Views
0
Helpful
7
Replies
CreatePlease to create content