I also added the default "inspect dcerpc" statement. After doing this the firewall began creating the dcerpc pinholes as I would expect. However, I still see some connections being denied on TCP ports that dcerpc is opening. For example, a "show conn" reveals the following connection (among others):
May 28 2008 13:28:31: %ASA-4-106023: Deny tcp src outside:10.2.1.1/4844 dst inside:10.1.1.1/1116 by access-group "OUTSIDE-IN" [0x502c4bfb, 0x0]
In other words, a machine on the outside is able to connect to an inside machine on TCP port 1116 as evidenced by the "show conn" command. Since the only explicitly allowed access is to port 135 (dcerpc), then I surmise that this must be a pinhole opened by the dcerpc inspection. However, when the same outside machine attempts to open another connection to port 1116 on the same inside machine, it is denied.
Is this by design? Will dcerpc inspection allow only a single connection to the destination port?
Also, does anyone know what the following dcerpc inspection parameters are for?
The description for the epm-service-only parameter says "The epm-service-only keyword enforces endpoint mapper service during binding so that only its service traffic is processed". Ok. What does that mean? "The lookup-operation keyword enables the lookup operation of the endpoint mapper service". Not sure what that means either.
To enable inspection of DCERPC traffic destined for the endpoint-mapper, use the inspect dcerpc command in class configuration mode. Class configuration mode is accessible from policy map configuration mode. To remove the configuration, use the no form of this command.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...