OK so this one is simple once you know how. TCP Port 135 (MS Remote Procedure Call Endpoint Mapper) requests high range ports > 1024 for Windows client / server networking. To allow this traffic across the ASA you need to pinhole the ports with the global policy map:

policy-map type inspect dcerpc dcerpc_map
timeout pinhole 0:10:00
class-map dcerpc
match port tcp eq 135

policy-map global_policy
class dcerpc
inspect dcerpc dcerpc_map

As well as permitting the traffic through the firewall rule (obviously). It can be done with tcp/135 or an IP any between hosts. Use the command:
show run policy map to verify the policy map.

About Post Author