There have to be plenty of people who have had to do this before, but I can't seem to find anything on CCO on this. I need to put Windows servers behind an ACL on a router and still permit RPC *without* nailing down the port on the servers (the server people say RPC gets put back to its default config every time they apply a patch). Has anyone done this?
Thanks for the link. The problem is that last part: "RPC Server Programs: ". They want you to open every port above 1023 so the server can dynamically assign a port (a little bit like locking the door but leaving all the windows open). Apparently the client contacts the server on one of the well-known port numbers and the server tells it to contact it on the dynamically assigned port. I had hoped that Firewall IOS might be able to look further up the stack to recognize the RPC "conversation" and permit it, but I haven't been able to find any references to that on cco.
The idea of this is to isolate the servers on their own internal network and have the clients access them through the acl; we definitely don't want to allow any rpc from outside. We want to increase internal security by firewalling critical assets within the corporate network. We're using csa on the servers already but wanted to take all possible precautions.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...