ASA5510 - Block AIM on one vlan/network

Hello,

I have an ASA5510 with ssm-10. I need to block AIM on one of my vlans/networks.

I found this example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml#config2

How do I modify this to only block AIM traffic on one vlan or network.

Two networks: 10.1.103.0 /24 and 10.1.104.0 /24.

Thanks!
LVL 1
DAgentAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
DAgentConnect With a Mentor Author Commented:
I used this so I can block by URL:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

This way I can web sites and chat programs in one location.
0
 
MikeKaneCommented:
Honestly, I didn't think people still used AIM....   but I digress.

IIRC AIM uses TCP/UCP 5190 to 5193   so we just need to create an access list to block those ports and you should be good....  

access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5190
access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5191
access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5192
access-list inside-out deny tcp 10.1.103.0 255.255.255.0 any eq 5193
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5190
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5191
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5192
access-list inside-out deny ucp 10.1.103.0 255.255.255.0 any eq 5193
access-list inside-out permit ip any any
access-group inside-out in interface inside

That will block the 10.1.103.0 network from communicating outbound on the AIM ports.
0
 
MikeKaneCommented:
Oops>
IIRC AIM uses TCP/UCP 5190 to 5193
should be
IIRC AIM uses TCP/UDP 5190 to 5193
0
 
snfinkCommented:
I would take it a step further and block the login servers outright, or if that vlan doesn't need access to AOL a better solution would be to block the entire ip range of 205.188.0.0 - 205.188.255.255 which belongs to AOL. Blocking the ports can work well if they have no access If they have access, they can get in and change the port number that AIM connects on. AIM itself will port hop until it finds one it can connect on. I've seen it running on both ports 21 and 23 for instance. Also, blocking the login servers or the ip range will also block them from using the web version of Aim.

login servers are
login.oscar.aol.com (64.12.202.116)
login.oscar.aol.com:443 (64.12.202.116)
toc.oscar.aol.com (64.12.202.14)
aimexpress.aim.com (207.200.74.38)

So you can do something like

object-group network AOL
 description Block AOL and AIM
 network-object host 64.12.202.116
 network-object host 207.200.74.38
 network-object host 205.188.0.0

this creates a group name that is associated with the ip's listed, and then you can just block the group name to keep your rules nice and tidy on the 5510.

Depending on the network/vlan name you can just add it via the CLI or the ASDM.

CLI command would look something like this

access-list (VLAN NAME)-IN extended deny tcp 10.1.103.0 255.255.255.0 object-group AOL log critical
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.