Solved

ASA5510 - Block AIM on one vlan/network

Posted on 2010-09-15
4
859 Views
Last Modified: 2012-05-10
Hello,

I have an ASA5510 with ssm-10. I need to block AIM on one of my vlans/networks.

I found this example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml#config2

How do I modify this to only block AIM traffic on one vlan or network.

Two networks: 10.1.103.0 /24 and 10.1.104.0 /24.

Thanks!
0
Comment
Question by:DAgent
  • 2
4 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 33686525
Honestly, I didn't think people still used AIM....   but I digress.

IIRC AIM uses TCP/UCP 5190 to 5193   so we just need to create an access list to block those ports and you should be good....  

access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5190
access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5191
access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5192
access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5193
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5190
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5191
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5192
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5193
access-list inside-out permit ip any any
access-group inside-out in interface inside

That will block the 10.1.103.0 network from communicating outbound on the AIM ports.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 33686529
Oops>
IIRC AIM uses TCP/UCP 5190 to 5193
should be
IIRC AIM uses TCP/UDP 5190 to 5193
0
 

Expert Comment

by:snfink
ID: 33773915
I would take it a step further and block the login servers outright, or if that vlan doesn't need access to AOL a better solution would be to block the entire ip range of 205.188.0.0 - 205.188.255.255 which belongs to AOL. Blocking the ports can work well if they have no access If they have access, they can get in and change the port number that AIM connects on. AIM itself will port hop until it finds one it can connect on. I've seen it running on both ports 21 and 23 for instance. Also, blocking the login servers or the ip range will also block them from using the web version of Aim.

login servers are
login.oscar.aol.com (64.12.202.116)
login.oscar.aol.com:443 (64.12.202.116)
toc.oscar.aol.com (64.12.202.14)
aimexpress.aim.com (207.200.74.38)

So you can do something like

object-group network AOL
 description Block AOL and AIM
 network-object host 64.12.202.116
 network-object host 207.200.74.38
 network-object host 205.188.0.0

this creates a group name that is associated with the ip's listed, and then you can just block the group name to keep your rules nice and tidy on the 5510.

Depending on the network/vlan name you can just add it via the CLI or the ASDM.

CLI command would look something like this

access-list (VLAN NAME)-IN extended deny tcp 10.1.103.0 255.255.255.0 object-group AOL log critical
0
 
LVL 1

Accepted Solution

by:
DAgent earned 0 total points
ID: 33916091
I used this so I can block by URL:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

This way I can web sites and chat programs in one location.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question