Configure IM and Yahoo blocking and P2P blocking

Posted on November 17, 2010

0



I made to example to demonstrate the configuration of blocking chat and peer-to-peer applications. I would not say this is the most secure way, but better as nothing.

Task 1.

From 10.0.0.x network to 192.168.0.x network we need to BLOCK MSN and YAHOO.
(The configuration of blocking chat applications is only from code 7.2.2 possible.)

Step 1. Create an ACL for the defined traffic

access-list no_im_traffic extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

Step 2. Apply ACL for a class map.

class-map no_im
match access-list no_im_traffic

Step 3. Create class maps that identify the im or yahoo.

class-map type inspect im match-all msn_deny
match protocol msn-im
class-map type inspect im match-all yahoo_deny
match protocol yahoo-im

Step 4. Create a policy map for the class maps that identify the im or yahoo.

policy-map type inspect im im_deny
parameters
class msn_deny
drop-connection
class yahoo_deny
drop-connection

Step 5. Add the new policy map to the global policy, but only for the class map created at STEP 2!

policy-map global_policy
class no_im
inspect im im_deny

More info for Instant Messaging Inspection:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354

TASK 2.

Block P2P applications if traffic goes from 10.0.0.x to 192.168.0.x.

The configuration of blocking chat applications is only from code 7.0 possible.

access-list no_p2p_traffic extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
class-map http_port
match access-list no_p2p_traffic
http-map inbound_http
port-misuse im action reset log
port-misuse p2p action reset log
port-misuse tunneling action reset log
policy-map global_policy
class-map http_port
inspect http inbound_http

More info for port-misuse (only from code 7.0):
http://www.cisco.com/en/US/customer/docs/security/asa/asa70/command/reference/mr.html#wp1590988

Advertisements