Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

"inspect dcerpc" question

I just installed version 8.0(3) on an ASA 5510 so that I could get support for dcerpc application inspection.

I added the following to the configuration (10.2.x.x on outside and 10.1.x.x on inside):

access-list OUTSIDE-IN permit tcp host host eq 135

I also added the default "inspect dcerpc" statement. After doing this the firewall began creating the dcerpc pinholes as I would expect. However, I still see some connections being denied on TCP ports that dcerpc is opening. For example, a "show conn" reveals the following connection (among others):

TCP outside inside, idle 0:00:12, bytes 19433, flags UIOB

Yet I also see these log messages:

May 28 2008 13:28:31: %ASA-4-106023: Deny tcp src outside: dst inside: by access-group "OUTSIDE-IN" [0x502c4bfb, 0x0]

In other words, a machine on the outside is able to connect to an inside machine on TCP port 1116 as evidenced by the "show conn" command. Since the only explicitly allowed access is to port 135 (dcerpc), then I surmise that this must be a pinhole opened by the dcerpc inspection. However, when the same outside machine attempts to open another connection to port 1116 on the same inside machine, it is denied.

Is this by design? Will dcerpc inspection allow only a single connection to the destination port?

Also, does anyone know what the following dcerpc inspection parameters are for?

endpoint-mapper [epm-service-only] [lookup-operation]

The description for the epm-service-only parameter says "The epm-service-only keyword enforces endpoint mapper service during binding so that only its service traffic is processed". Ok. What does that mean? "The lookup-operation keyword enables the lookup operation of the endpoint mapper service". Not sure what that means either.



Re: "inspect dcerpc" question

To enable inspection of DCERPC traffic destined for the endpoint-mapper, use the inspect dcerpc command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.

inspect dcerpc [map_name]

no inspect dceprc [map_name]

CreatePlease to create content