Seriously, it's was like Cisco wants to punish us for moving to the FTD platform. I had even used their migration tool previously to convert our ASA config to the FTD and the post migration report listed the inspection policy as unsupported. I spent hours scouring forum, blogs, and white paper sites and really couldn't find any good documentation about how you could go about doing it. The most I could find was some suggestions to use FlexConfig objects.
We had several tickets open with Cisco tac on this issue, and every engineer assigned failed to give me a good solution. Their answer always came back to just creating rules in the access policy opening all the high range ports between security zones. Which, kind of sucks as a solution.
So yes, maybe I'm an idiot for not figuring this out earlier, or maybe it was clearly documented somewhere and my google-fu really could use a refresher, but it is possible to replicate policy based DCE/RPC inspection using FlexConfig objects. (To a degree, I still couldn't get it to let me configure timeout pinhole settings, but take the victories you can I guess) I welcome reddit's mockery for banging my head against tha wall this long before figuring it out.
No comments:
Post a Comment