46-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter46 Configuring Inspection for Management Application Protocols
DCERPC Inspection
DCERPC inspect maps inspect for native TCP communication between the EPM and client on well
known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server
can be located in any security zone. The embedded server IP address and Port number are received from
the applicable EPM response messages. Since a client may attempt multiple connections to the server
port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.
Note DCERPC inspection only supports communication between the EPM and clients to open pinholes
through theASA. Clients using RPC communication that does not use the EPM is not supported with
DCERPC inspection.
Configuring a DCERPC Inspection Policy Map for Additional Inspection Control
To specify additional DCERPC inspection parameters, create a DCERPC inspection policy map. You can
then apply the inspection policy map when you enable DCERPC inspection.
To create a DCERPC inspection policy map, perform the following steps:
Step1 Create a DCERPC inspection policy map, enter the following command:
hostname(config)# policy-map type inspect dcerpc policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step2 (Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
Step3 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b. To configure the timeout for DCERPC pinholes and override the global system pinhole timeout of
two minutes, enter the following command:
hostname(config-pmap-p)# timeout pinhole hh:mm:ss
Where the hh:mm:ss argument is the timeout for pinhole connections. Value is between 0:0:1 and
1193:0:0.
c. To configure options for the endpoint mapper traffic, enter the following command:
hostname(config-pmap-p)# endpoint-mapper [epm-service-only] [lookup-operation
[timeout hh:mm:ss]]
Where the hh:mm:ss argument is the timeout for pinholes generated from the lookup operation. If
no timeout is configured for the lookup operation, the timeout pinhole command or the default is
used. The epm-service-only keyword enforces endpoint mapper service during binding so that only
its service traffic is processed. The lookup-operation keyword enables the lookup operation of the
endpoint mapper service.