I made to example to demonstrate the configuration of blocking chat and peer-to-peer applications. I would not say this is the most secure way, but better as nothing.
Task 1.
From 10.0.0.x network to 192.168.0.x network we need to BLOCK MSN and YAHOO.
(The configuration of blocking chat applications is only from code 7.2.2 possible.)
Step 1. Create an ACL for the defined traffic
| access-list no_im_traffic extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 |
Step 2. Apply ACL for a class map.
| class-map no_im match access-list no_im_traffic |
Step 3. Create class maps that identify the im or yahoo.
| class-map type inspect im match-all msn_deny match protocol msn-im class-map type inspect im match-all yahoo_deny match protocol yahoo-im |
Step 4. Create a policy map for the class maps that identify the im or yahoo.
| policy-map type inspect im im_deny parameters class msn_deny drop-connection class yahoo_deny drop-connection |
Step 5. Add the new policy map to the global policy, but only for the class map created at STEP 2!
| policy-map global_policy class no_im inspect im im_deny |
More info for Instant Messaging Inspection:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1479354
TASK 2.
Block P2P applications if traffic goes from 10.0.0.x to 192.168.0.x.
The configuration of blocking chat applications is only from code 7.0 possible.
| access-list no_p2p_traffic extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 class-map http_port match access-list no_p2p_traffic http-map inbound_http port-misuse im action reset log port-misuse p2p action reset log port-misuse tunneling action reset log policy-map global_policy class-map http_port inspect http inbound_http |
More info for port-misuse (only from code 7.0):
http://www.cisco.com/en/US/customer/docs/security/asa/asa70/command/reference/mr.html#wp1590988
itsecworks 
Posted on November 17, 2010
0