[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1810
  • Last Modified:

Block torent downloads with Cisco Firewall

How can I block *all* torrents traffic with a Cisco 5540 ASA firewall. It consuming too much bandwidth
0
Seni
Asked:
Seni
2 Solutions
 
MikeKaneCommented:
0
 
sudeep_mibCommented:
This will lock the bittorrent into the "connecting to peers" step and disallow the client from asking the tracker for a list of peers.

#####################
regex infopeer ".*info_hash.*"
!
class-map altogether
 match port tcp eq www
class-map type regex match-any regcmap
 match regex infopeer
class-map type inspect http match-all inscmap
 match request method get
 match request args regex class regcmap
!
policy-map type inspect http inspol
 parameters
 class inscmap
  drop-connection log
policy-map altogether
 class altogether
  inspect http inspol
!
service-policy altogether interface inside
######################

Alternatively, you can block outbound traffic to TCP ports 2710 and 6969 (destination ports other than 80) and outbound traffic to ephemeral UDP ports. This config also blocks Kazaa and Gator ports.


########################
regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"
!
object-group service BitTorrent-Tracker tcp
 description TCP Ports used by Bit Torrent for tracker communication
 port-object eq 2710
 port-object eq 6969
!
object-group service Blocked-UDP-Ports udp
 description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
 port-object range 10001 65535
 port-object range 1024 9999
!
access-list inside-out extended deny tcp any any object-group BitTorrent-Tracker log warnings
access-list inside-out extended deny udp any any object-group Blocked-UDP-Ports log warnings
!
access-list inside-out extended permit tcp any any
access-list inside-out extended permit udp any any
access-list inside-out extended permit icmp any any echo
!
class-map http_traffic
 match port tcp eq www
!
class-map type inspect http match-all bit-torrent-tracker
 description Bit Torrent Tracker communication
 match request args regex bit-torrent-tracker
 match request method get
!
policy-map type inspect http Drop-P2P
 description Drop protocol violations, Kazaa, gator and Bit Torrent Tracker traffic
 parameters
  protocol-violation action drop-connection log
 class _default_gator
  drop-connection log
 class _default_kazaa
  drop-connection log
 class bit-torrent-tracker
  drop-connection log
!
policy-map global_policy
 class http_traffic
  inspect http Drop-P2P
!
service-policy global_policy global

#############################

-Sudeep
0
 
SeniAuthor Commented:
Exactly what i did and its working fine now
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now