Solved

Blocking Bit Torrent through ASA 5510

Posted on 2013-06-04
8
2,340 Views
Last Modified: 2014-02-05
Hi Experts,

I am running 2 Ciso ASA 5510 in a failover configuration, I want to block all torrent traffic from ASA, is this possible? if yes then how can I do it?

If its not possible then I have a software that can kill all Torrent traffic apart from UDP that I need to block from the ASA, I cannot block port range 1024 to 65536 because there are 40 or 50 UDP ports that are used for business applications, how can I only blcok UDP ports that are used by torrents?

I am using Software version 8.2 on the ASA.

THanks.
0
Comment
Question by:abdullahjamali
  • 4
  • 4
8 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39218633
0
 

Author Comment

by:abdullahjamali
ID: 39218678
Hi Cyslops,

Its not working.

Abdullah.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39218938
how did you test?  can you do a wireshark capture of your test? (start the capture before you open your torrent client and let it run for about a minute or so before you confirm with the display filter)

do a display filter of:
udp contains info_hash

if this shows items being matched, on your asa do the following
show service-policy  flow udp host src.host.ip.addr host dst.host.ip.addr eq dst.port
fill in the src and dst info with that found in the wireshark capture

you may need to modify/add to the class-map in the example in the url I gave.  Bittorrent has changed of the years so it eludes firewalls pretty well these days.  Dedicated application firewalls is the way to go but even those can be defeated due to bittorrent supporting encryption as well these days.
0
 

Author Comment

by:abdullahjamali
ID: 39221730
Hi Cyclops3590,

Please find the capture file attached, I have changed the file extension, after downloading please change the extension to .pcapng

Abdullah.
BitTorrent-Wireshark-Capture.zip
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39221743
ok, so that shows the expected results.

run the following on the asa

show service-policy flow udp host 172.16.244.25 76.26.191.60 eq 32709

my guess is it doesn't really match anything you've setup.  did you modify the service policy so that it covers udp as well as tcp when doing the regex search?
0
 

Author Comment

by:abdullahjamali
ID: 39221846
Hi Cyclopse,

I have made all the requested changes but still it's not working, please find below the configuration script and make ammentments accordingly and I will reconfigure that on our
firewall.

regex infopeer ".*info_hash.*"
 !
 class-map altogether
  match port tcp eq www
 class-map type regex match-any regcmap
  match regex infopeer
 class-map type inspect http match-all inscmap
  match request method get
  match request args regex class regcmap
 !
 policy-map type inspect http inspol
  parameters
  class inscmap
   drop-connection log
 policy-map altogether
  class altogether
   inspect http inspol
 !
 service-policy altogether interface inside
 
Thanks a lot.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39221873
ok, lets not overcomplicate this.

create the acl necessary and apply it to the inbound inside interface.

do the ACE's in the list first that you need to permit.

so it'll be something like this as you say you need to allow some udp ports

1) create network object with list of hosts you need to communicate via udp ports
2) create service object with list of those udp ports you need to use
3) create service object with list of those udp port ranges associated with BT on that URL I gave you.
4) Create the ACL:
permit udp any object-group allowed-hosts object-group udp-ports
deny udp any any object-group bt-ports
permit ip any any

as to IP related traffic the only thing that gets blocked is the udp ports associated with BT but not any potential ports in those ranges if you're going to hosts that you need to be able to go to.
0
 

Author Comment

by:abdullahjamali
ID: 39835175
I've requested that this question be closed as follows:

Accepted answer: 0 points for abdullahjamali's comment #a39221846

for the following reason:

Expert reply, solved the query
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now