- Posts: 3
- Thank you received: 0
Cisco ASA 5510 MSN Messenger Block
17 years 5 months ago #22006
by Princey
Cisco ASA 5510 MSN Messenger Block was created by Princey
Hey folks,
I am having quite a bit of trouble filtering out MSN Messenger on my companies network. Maybe you could help me out?
I have tried ACLs and group policies with no luck.
Details:
[code:1]Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
[/code:1]
Here is the ACL that i tried:
[code:1]
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 any range 6891 6900
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any range 6891 6900
access-list MSN_OUT_BLOCK extended deny tcp 192.186.55.0 255.255.255.0 any eq 6901
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any eq 6901
access-list MSN_OUT_BLOCK extended permit tcp 192.168.55.0 255.255.255.0 any eq www
access-list MSN_OUT_BLOCK extended deny ip 192.168.55.0 255.255.255.0 207.46.248.0 255.255.255.0
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.27.0 255.255.255.0 eq 7001
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 207.46.27.0 255.255.255.0 eq 7001
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.0.0 255.255.0.0 eq https
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.0.0 255.255.0.0 eq www
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 any eq 1863
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any eq 1863
access-list MSN_OUT_BLOCK extended permit ip any any
---
access-group MSN_OUT_BLOCK out interface outside8
[/code:1]
Here is the policy which i tried
[code:1]
class-map type regex match-any msn_exempt_list
match regex msnuser1 "booobs\@gmail.com"
match regex msnuser2 "user\@hotmail.com"
class-map type inspect im match-all MSN_BLOCK_CLASS
description "blabla"
match protocol msn-im
match login-name regex class msn_exempt_list
policy-map type inspect im MSN_BLOCK_POLICY
description "Policy blocking MSN IM"
class MSN_BLOCK_CLASS
drop-connection
service-policy MSN_BLOCK_POLICY interface outside8
---
ERROR: % policy-map MSN_BLOCK_POLICY of type (inspect im) cannot be applied to a 'service-policy' command
[/code:1]
any help which you could provide me with would be great.
Thanks,
David Prince
I am having quite a bit of trouble filtering out MSN Messenger on my companies network. Maybe you could help me out?
I have tried ACLs and group policies with no luck.
Details:
[code:1]Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
[/code:1]
Here is the ACL that i tried:
[code:1]
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 any range 6891 6900
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any range 6891 6900
access-list MSN_OUT_BLOCK extended deny tcp 192.186.55.0 255.255.255.0 any eq 6901
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any eq 6901
access-list MSN_OUT_BLOCK extended permit tcp 192.168.55.0 255.255.255.0 any eq www
access-list MSN_OUT_BLOCK extended deny ip 192.168.55.0 255.255.255.0 207.46.248.0 255.255.255.0
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.27.0 255.255.255.0 eq 7001
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 207.46.27.0 255.255.255.0 eq 7001
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.0.0 255.255.0.0 eq https
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.0.0 255.255.0.0 eq www
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 any eq 1863
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any eq 1863
access-list MSN_OUT_BLOCK extended permit ip any any
---
access-group MSN_OUT_BLOCK out interface outside8
[/code:1]
Here is the policy which i tried
[code:1]
class-map type regex match-any msn_exempt_list
match regex msnuser1 "booobs\@gmail.com"
match regex msnuser2 "user\@hotmail.com"
class-map type inspect im match-all MSN_BLOCK_CLASS
description "blabla"
match protocol msn-im
match login-name regex class msn_exempt_list
policy-map type inspect im MSN_BLOCK_POLICY
description "Policy blocking MSN IM"
class MSN_BLOCK_CLASS
drop-connection
service-policy MSN_BLOCK_POLICY interface outside8
---
ERROR: % policy-map MSN_BLOCK_POLICY of type (inspect im) cannot be applied to a 'service-policy' command
[/code:1]
any help which you could provide me with would be great.
Thanks,
David Prince
17 years 5 months ago #22008
by Princey
Replied by Princey on topic Re: Cisco ASA 5510 MSN Messenger Block
Ok i got it working with the following ACL set:
[code:1]
access-list MSN_OUT_BLOCK line 1 extended deny tcp any 207.46.0.0 255.255.0.0 eq https
access-list MSN_OUT_BLOCK line 2 extended deny tcp any any eq 1863
access-list MSN_OUT_BLOCK line 3 extended deny udp any any eq 1863
access-list MSN_OUT_BLOCK line 4 extended deny tcp any 65.54.239.0 255.255.255.0
access-list MSN_OUT_BLOCK line 5 extended permit ip any any[/code:1]
but i want certain people within the network to be able to access MSN Messenger, is there anyway i can do this without setting up another reserved scope on the DHCP server?
Thanks,
David Prince
[code:1]
access-list MSN_OUT_BLOCK line 1 extended deny tcp any 207.46.0.0 255.255.0.0 eq https
access-list MSN_OUT_BLOCK line 2 extended deny tcp any any eq 1863
access-list MSN_OUT_BLOCK line 3 extended deny udp any any eq 1863
access-list MSN_OUT_BLOCK line 4 extended deny tcp any 65.54.239.0 255.255.255.0
access-list MSN_OUT_BLOCK line 5 extended permit ip any any[/code:1]
but i want certain people within the network to be able to access MSN Messenger, is there anyway i can do this without setting up another reserved scope on the DHCP server?
Thanks,
David Prince
17 years 5 months ago #22009
by anti-hack
Replied by anti-hack on topic Re: Cisco ASA 5510 MSN Messenger Block
hi,
i don't have an ASA, but the way i managed this on the PIX is, i always use the permit some and deny all policy. then for the people that require the access i granted them, tcp 1863 and udp 7001. the problem with IM software like MSN and googletalk is that they use the tcp port 80 instead if their primary ports are blocked. to counter this i used Microsoft ISA to filter the http traffic. Now everything is under control and only the allowed people can access IM.
hope this helped.
i don't have an ASA, but the way i managed this on the PIX is, i always use the permit some and deny all policy. then for the people that require the access i granted them, tcp 1863 and udp 7001. the problem with IM software like MSN and googletalk is that they use the tcp port 80 instead if their primary ports are blocked. to counter this i used Microsoft ISA to filter the http traffic. Now everything is under control and only the allowed people can access IM.
hope this helped.
17 years 5 months ago #22010
by Princey
Replied by Princey on topic Re: Cisco ASA 5510 MSN Messenger Block
yes, this is what i want to do, but because all the employees are assigned IP's via DHCP its hard to permit certain users
is there anyway of permitting certain users without making a reserved scope and assigning static IP's to the people who need msn
is there anyway of permitting certain users without making a reserved scope and assigning static IP's to the people who need msn
17 years 5 months ago #22136
by anti-hack
Replied by anti-hack on topic Re: Cisco ASA 5510 MSN Messenger Block
Well, creating scopes seems to be the only logical solution to this problem, otherwise the PIX would either allow the subnet or would deny it. For specific ports and services you have to assign the clients with specific IP addresses so that you are in better position to control whats going on.
Regards
Regards
17 years 5 months ago #22172
by pothead
Replied by pothead on topic Re: Cisco ASA 5510 MSN Messenger Block
Exactly- you'd have to create static reservations in your DHCP or put static IPs for those machine manually and then allow those on the firewall, while denying eveyone else....
Time to create page: 0.129 seconds