EasyManuals Logo

Cisco ASA 5555-X Configuration Guide

Cisco ASA 5555-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #358 background imageLoading...
Page #358 background image
15-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 15 Inspection of Database, Directory, and Management Protocols
DCERPC Inspection
This typically involves a client querying a server called the Endpoint Mapper listening on a well known
port number for the dynamically allocated network information of a required service. The client then sets
up a secondary connection to the server instance providing the service. The security appliance allows the
appropriate port number and network address and also applies NAT, if needed, for the secondary
connection.
DCERPC inspection maps inspect for native TCP communication between the EPM and client on well
known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server
can be located in any security zone. The embedded server IP address and Port number are received from
the applicable EPM response messages. Since a client may attempt multiple connections to the server
port returned by EPM, multiple use of pinholes are allowed, which have configurable timeouts.
DCE inspection supports the following UUIDs and messages:
• End point mapper (EPM) UUID. All EPM messages are supported.
• ISystemMapper UUID (non-EPM). Supported messages are:
–
RemoteCreateInstance opnum4
–
RemoteGetClassObject opnum3
• Any message that does not contain an IP address or port information because these messages do not
require inspection.
Configure DCERPC Inspection
DCERPC inspection is not enabled by default. You must configure it if you want DCERPC inspection.
Procedure
Step 1 Configure a DCERPC Inspection Policy Map, page 15-2.
Step 2 Configure the DCERPC Inspection Service Policy, page 15-3.
Configure a DCERPC Inspection Policy Map
To specify additional DCERPC inspection parameters, create a DCERPC inspection policy map. You can
then apply the inspection policy map when you enable DCERPC inspection.
Before You Begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one
of those techniques, first create the regular expression or regular expression class map.
Procedure
Step 1 Create a DCERPC inspection policy map, enter the following command:
hostname(config)# policy-map type inspect dcerpc policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.

Table of Contents

Other manuals for Cisco ASA 5555-X

Preview: Quick Start Guide
Quick Start Guide14 pages
Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Hardware Installation Guide
Hardware Installation Guide74 pages
Preview: Software Guide
Software Guide37 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA 5555-X and is the answer not in the manual?

Cisco ASA 5555-X Specifications

General IconGeneral
Firewall Throughput4 Gbps
Maximum Concurrent Sessions1, 000, 000
Security Contexts50
VPN Throughput1.2 Gbps
RAM8 GB
Storage120 GB SSD
Power SupplyDual, Hot-swappable
Form Factor1RU
Interfaces8 x 1 Gigabit Ethernet

Related product manuals