Dcerpc Inspection - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
DCERPC Inspection
Network Processor 1 connection
TCP out 10.0.0.101:2748 in 10.0.0.23:3598 idle 0:00:09 Bytes 103065 FLAGS - UOI
UDP out 10.0.0.21:30504 in 10.0.0.23:3650 idle 0:00:00 Bytes 4810406
FLAGS - C
UDP out 10.0.0.21:1436 in 10.0.0.23:19972 idle 0:00:00 Bytes 4813240
FLAGS - C
TCP out 10.0.0.21:1437 in 10.0.0.23:1720 idle 0:07:04 Bytes 1027 FLAGS - UBOIh
UDP out 10.0.0.21:49608 in 10.0.0.23:49608 idle 0:00:10 Bytes 241836
FLAGS - H
UDP out 10.0.0.21:49609 in 10.0.0.23:49609 idle 0:00:01 Bytes 17480
FLAGS - H
TCP out 10.0.0.21:1440 in 10.0.0.23:1503 idle 0:06:58 Bytes 4488 FLAGS - UBOI
TCP out 10.0.0.21:1441 in 10.0.0.23:1503 idle 0:04:50 Bytes 17888 FLAGS - UBOI
TCP out 10.0.0.21:1442 in 10.0.0.23:1503 idle 0:04:50 Bytes 471135 FLAGS - UBOI
Network Processor 2 connections
Multicast sessions:
Network Processor 1 connections
Network Processor 2 connections
IPv6 connections:
DCERPC Inspection
DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows
software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper listening on a well known
port number for the dynamically allocated network information of a required service. The client then sets
up a secondary connection to the server instance providing the service. The security appliance allows the
appropriate port number and network address and also applies NAT, if needed, for the secondary
connection.
DCERPC inspect maps inspect for native TCP communication between the EPM and client on well
known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server
can be located in any security zone. The embedded server IP address and Port number are received from
the applicable EPM response messages. Since a client may attempt multiple connections to the server
port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.
DCERPC inspection only supports communication between the EPM and clients to open pinholes
Note
through the FWSM. Clients using RPC communication that does not use the EPM is not supported with
DCERPC inspection.
DCERPC inspection supports the following messages:
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-16
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,
M - SMTP data, m - SIP media, O - outbound data, P - inside back connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
End point mapper (EPMAP)
RemoteCreateInstance
Any message that does not contain an IP address or port information because these messages do not
require inspection
Chapter 22
Applying Application Layer Protocol Inspection
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
