15-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 15 Inspection of Database, Directory, and Management Protocols
DCERPC Inspection
Step 2 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step 3 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b. Set one or more parameters. You can set the following options; use the no form of the command to
disable the option:
• timeout pinhole hh:mm:ss—Configures the timeout for DCERPC pinholes and override the
global system pinhole timeout of two minutes. The timeout can be from 00:00:01 to 119:00:00.
• endpoint-mapper [epm-service-only] [lookup-operation [timeout hh:mm:ss]]—Configures
options for the endpoint mapper traffic. The epm-service-only keyword enforces endpoint
mapper service during binding so that only its service traffic is processed. The
lookup-operation keyword enables the lookup operation of the endpoint mapper service. You
can configure the timeout for pinholes generated from the lookup operation. If no timeout is
configured for the lookup operation, the timeout pinhole command or the default is used.
Example
The following example shows how to define a DCERPC inspection policy map with the timeout
configured for DCERPC pinholes.
hostname(config)# policy-map type inspect dcerpc dcerpc_map
hostname(config-pmap)# timeout pinhole 0:10:00
hostname(config)# class-map dcerpc
hostname(config-cmap)# match port tcp eq 135
hostname(config)# policy-map global-policy
hostname(config-pmap)# class dcerpc
hostname(config-pmap-c)# inspect dcerpc dcerpc-map
hostname(config)# service-policy global-policy global
Configure the DCERPC Inspection Service Policy
DCERPC inspection is not enabled in the default inspection policy, so you must enable it if you need
this inspection. You can simply edit the default global inspection policy to add DCERPC inspection. You
can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map dcerpc_class_map
hostname(config-cmap)# match access-list dcerpc
To Next Page
Loading...
Need help?
General
