• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1363
  • Last Modified:

Blocking MSN / YAHOO on ASA5510

Hello Experts.

I Have been searching on EE and also found several topics regarding my problem.
Here a list of the Cases I have already came across which also have my exact same problem.
http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23707192.html?sfQueryTermInfo=1+10+asa+block+cisco+msn

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23795263.html?sfQueryTermInfo=1+10+asa+block+cisco+msn

But as in the first Link, I ams till able to sign in into MSN and Yahoo and send messages.
I am not sure if it might be because the ASA is running 8.0.3(6) Version.

I also attach a dump of the current configuration of my service Policy. I have been trying out different things and adding additional statements in hope that it would start triggering MSN and Yahoo but without luck.
I Also added the ACLs for the INSIDE Interface where I am already trying to sort out most of the traffic.
The Inspection of Kazaa and Gator works though. I am unable to connect with those P2P Apps.
With the command.
"show service-ploicy"
I see that traffic for P2P gets inspected and also dropped, but on the IM Inspection it only counts on Inspects but not on Drops.

Hopefully somebody is able to help on this topic, I am not sure if downgrading to ASA Version 7.2 would solve the Problem.

Kind Regards and thanks in advance
Alex
object-group service GVM_BASIC_INTERNET tcp-udp
 port-object eq 20
 port-object eq 21
 port-object eq 22
 port-object eq 23
 port-object eq 25
 port-object eq 37
 port-object eq domain
 port-object eq www
 port-object eq 110
 port-object eq 123
 port-object eq 443
 port-object eq 445
 port-object eq 554
 port-object eq 989
 port-object eq 990
 port-object eq 992
 port-object eq 995
 
access-list ACL_INS extended permit icmp any any
access-list ACL_INS extended permit ip object-group GVM_ADMIN_CLIENTS any
access-list ACL_INS extended permit tcp object-group GVM_NETWORKS_CLIENT any object-group GVM_BASIC_INTERNET
access-list ACL_INS extended permit udp object-group GVM_NETWORKS_CLIENT any object-group GVM_BASIC_INTERNET
access-list ACL_INS extended deny ip object-group GVM_NETWORKS_CLIENT any
 
 
access-list ADMIN_CLIENTS extended deny ip object-group GVM_ADMIN_CLIENTS any
access-list ADMIN_CLIENTS extended permit ip any any
 
 
class-map IM_INSPECTION
 match access-list ADMIN_CLIENTS
class-map type inspect im match-all IM-TRAFFIC
 match protocol msn-im yahoo-im
class-map inspection_default
 match default-inspection-traffic
class-map P2P_INSPECTION
 match access-list ADMIN_CLIENTS
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect im IM-POLICY
 parameters
 class IM-TRAFFIC
  drop-connection log
 match protocol msn-im yahoo-im
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect im IM-POLICY
policy-map type inspect http P2P_HTTP
 parameters
 match request uri regex _default_gator
  drop-connection log
 match request uri regex _default_x-kazaa-network
  drop-connection log
 match request uri regex _default_msn-messenger
  drop-connection log
policy-map IM_P2P
 class IM_INSPECTION
  inspect im IM-POLICY
 class P2P_INSPECTION
  inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface outside
service-policy IM_P2P interface inside

Open in new window

0
steffeninf
Asked:
steffeninf
  • 3
  • 3
1 Solution
 
asavenerCommented:
Are you trying to block the websites, webmail, instant messaging?
0
 
steffeninfAuthor Commented:
Hello asavener.

I am trying to block the Yahoo Messenger and MSN Messenger.
0
 
asavenerCommented:
0
Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

 
steffeninfAuthor Commented:
Hello asavener.

Yep thats the same config-example i tried aswell.
I have been implementing the exact same config, except I have changed the "custom" values all in capital letters. but that was all.
But still I am able to sign in with my MSN Messenger and see who's online.

Thanks for your help so far
0
 
asavenerCommented:
The configuration example given on the Cisco site is much simpler than what you have posted here.  Have you tried their example, and then tried modifying it to suit your needs?
0
 
steffeninfAuthor Commented:
Hello asavener.

Yes I have tried the Cisco Example just changed the "custom" names, sicne this didn't work i tried adding drop-connection statements as service.
also added the regex values for MSN, Yahoo and AIM in the P2P http policy-map
cos i thought maybe it would start triggering with those settings enabled.

Thanks again for your help.
greetings
Alex
0
 
e3userCommented:
try this :

class-map imblock
 match any

class-map P2P
 match port tcp eq www

policy-map type inspect im impolicy
 parameters
 match protocol msn-im yahoo-im
  drop-connection

policy-map type inspect http P2P_HTTP
 parameters
 match request uri regex _default_gator
  drop-connection log
 match request uri regex _default_x-kazaa-network
  drop-connection log

policy-map IM_P2P
 class imblock
  inspect im impolicy
 class P2P
  inspect http P2P_HTTP  

service-policy IM_P2P interface inside

hope this helps
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now