CHAPT ER
46-1
Cisco ASA 5500 Series Configuration Guide using the CLI
46
Configuring Inspection for Management Application Protocols
This chapter describes how to configure application layer protocol inspection. Inspection engines are
required for services that embed IP addressing information in the user data packet or that open secondary
channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection
instead of passing the packet through the fast path. As a result, inspection engines can affect overall
throughput.
Several common inspection engines are enabled on the ASA by default, but you might need to enable
others depending on your network.
This chapter includes the following sections:
DCERPC Inspection, page 46-1
GTP Inspection, page 46-3
RADIUS Accounting Inspection, page46-9
RSH Inspection, page 46-11
SNMP Inspection, page 46-11
XDMCP Inspection, page 46-12

DCERPC Inspection

This section describes the DCERPC inspection engine. This section includes the following topics:
DCERPC Overview, page46-1
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control, page46-2

DCERPC Overview

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows
software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper listening on a well known
port number for the dynamically allocated network information of a required service. The client then sets
up a secondary connection to the server instance providing the service. The security appliance allows the
appropriate port number and network address and also applies NAT, if needed, for the secondary
connection.