?
Solved

Blocking Bit Torrent through ASA 5510

Posted on 2013-06-04
8
Medium Priority
?
2,632 Views
Last Modified: 2014-02-05
Hi Experts,

I am running 2 Ciso ASA 5510 in a failover configuration, I want to block all torrent traffic from ASA, is this possible? if yes then how can I do it?

If its not possible then I have a software that can kill all Torrent traffic apart from UDP that I need to block from the ASA, I cannot block port range 1024 to 65536 because there are 40 or 50 UDP ports that are used for business applications, how can I only blcok UDP ports that are used by torrents?

I am using Software version 8.2 on the ASA.

THanks.
0
Comment
Question by:abdullahjamali
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39218633
0
 

Author Comment

by:abdullahjamali
ID: 39218678
Hi Cyslops,

Its not working.

Abdullah.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39218938
how did you test?  can you do a wireshark capture of your test? (start the capture before you open your torrent client and let it run for about a minute or so before you confirm with the display filter)

do a display filter of:
udp contains info_hash

if this shows items being matched, on your asa do the following
show service-policy  flow udp host src.host.ip.addr host dst.host.ip.addr eq dst.port
fill in the src and dst info with that found in the wireshark capture

you may need to modify/add to the class-map in the example in the url I gave.  Bittorrent has changed of the years so it eludes firewalls pretty well these days.  Dedicated application firewalls is the way to go but even those can be defeated due to bittorrent supporting encryption as well these days.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:abdullahjamali
ID: 39221730
Hi Cyclops3590,

Please find the capture file attached, I have changed the file extension, after downloading please change the extension to .pcapng

Abdullah.
BitTorrent-Wireshark-Capture.zip
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39221743
ok, so that shows the expected results.

run the following on the asa

show service-policy flow udp host 172.16.244.25 76.26.191.60 eq 32709

my guess is it doesn't really match anything you've setup.  did you modify the service policy so that it covers udp as well as tcp when doing the regex search?
0
 

Author Comment

by:abdullahjamali
ID: 39221846
Hi Cyclopse,

I have made all the requested changes but still it's not working, please find below the configuration script and make ammentments accordingly and I will reconfigure that on our
firewall.

regex infopeer ".*info_hash.*"
 !
 class-map altogether
  match port tcp eq www
 class-map type regex match-any regcmap
  match regex infopeer
 class-map type inspect http match-all inscmap
  match request method get
  match request args regex class regcmap
 !
 policy-map type inspect http inspol
  parameters
  class inscmap
   drop-connection log
 policy-map altogether
  class altogether
   inspect http inspol
 !
 service-policy altogether interface inside
 
Thanks a lot.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1200 total points
ID: 39221873
ok, lets not overcomplicate this.

create the acl necessary and apply it to the inbound inside interface.

do the ACE's in the list first that you need to permit.

so it'll be something like this as you say you need to allow some udp ports

1) create network object with list of hosts you need to communicate via udp ports
2) create service object with list of those udp ports you need to use
3) create service object with list of those udp port ranges associated with BT on that URL I gave you.
4) Create the ACL:
permit udp any object-group allowed-hosts object-group udp-ports
deny udp any any object-group bt-ports
permit ip any any

as to IP related traffic the only thing that gets blocked is the udp ports associated with BT but not any potential ports in those ranges if you're going to hosts that you need to be able to go to.
0
 

Author Comment

by:abdullahjamali
ID: 39835175
I've requested that this question be closed as follows:

Accepted answer: 0 points for abdullahjamali's comment #a39221846

for the following reason:

Expert reply, solved the query
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 10 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question