01-27-2007 11:56 PM - edited 03-11-2019 02:25 AM
hi all,
I need to do the following:
nat (inside) 1 0 0
global (outside) 1 interface
access-list External permit icmp any any echo-reply
access-list External deny ip any any log
access-list Internal permit tcp any any eq 23
access-list Internal permit tcp any any eq 80
access-list Internal permit udp any any eq 53
access-group External in interface outside
access-group Internal in interface inside
Problem is that user on the inside use AOL instant messgenging via port 23 and
I would like to block them from using
AOL IM on port 23 but I also would like
to allow legitimate telnet to go through.
I do NOT want to block AOL destination IM
Server in the ACL. I want to be the Pix to be smart enough to be able to accomplish via application inspection.
I can do this rather easily with Checkpoint SmartDefense which is builtin
with Checkpoint firewall. I am migrating
over to Cisco Pix and I would like to do
the same thing.
Any ideas on how to do this? Thanks.
David
01-27-2007 11:56 PM
I want EVERYONE from the Internal to be able to
telnet out to anywhere on the Internet with
regular telnet application. I do NOT want them
to masquerade port 23 with AOL IM application.
With Checkpoint SmartDefense, I can accomplish
this task in less than 10 seconds. I just
don't know how to do this with Cisco.
David
02-04-2007 08:11 AM
I'm glad the checkpoint can do this in 10 seconds. I can do it on the PIX/ASA in 9 :-) Can you please let me know what version of sw your PIX is running? The solution depends on the version.
Bryan
02-04-2007 08:17 AM
hi,
I am running version 7.2(2).
02-05-2007 07:51 AM
Ok, here we go. This is going to be done using ASDM.
Step 1: Launch ASDM
Step 2: Click on the Configuration button at the top of the page
Step 3: Click on the Security Policy button on the left.
Step 4: Click on the Service Policy Rules Tab
Step 5: If you don't have a Service Policy already, create one by clicking on the green plus sign next to the word Add. If you do already have a Service Policy, select the class (it should now be highlighted in blue), then click the green plus sign next to the work Add.
Step 6: Choose the Second Radio button - Global - applies to all interfaces, then click next
Step 7: Leave Create a new traffic class selected and put a check mark next to Default Inspection Traffic under Traffic match criteria and click next
Step 8: Select http and click next
Step 9: Select HTTP and click the configure button directly to the right of HTTP
Step 10: Select the 'Select a HTTP inspect map for fine control over inspection' radio button, then click on the Add button that is now activated
Step 11: On this screen, Give this new class a name. Then click the URI Filtering... button on the bottom right of the page
Step 12: click on Add
Step 13: In the drop down menu for regular Expression, select _default_aim-messenger
Step 14: Click ok
Step 15: Click ok
Step 16: Click ok
Step 17: Click ok
Step 18: Click finish
Step 19: Click Apply
This will set up your ASA to look for and block AIM. I know this might seem like a lot of steps, but like every GUI, once you get used to it, it really takes no time at all.
Bryan
02-05-2007 08:36 AM
Bryan,
1) does it apply to both Pix and ASA or only ASA?
2) did you test it and you are able to block
AOL Instant Messenging from traversing port
23?
It seems to me that your instructions have to
do with blocking AOL IM via http port and not port 23.
Regards,
David
02-05-2007 09:11 AM
Bryan,
I tried what you suggested and I still can use
AOL IM over port 23. The solution you provided
is for using AOL IM over http (aka port 80).
I am trying to block it over port 23.
anymore ideas?
02-05-2007 09:12 AM
1) This works on any platform running 7.2(2)
2) Have not tested with AIM on port 23 (forgot you mentioned that). To make sure that this catches AIM on all ports, please check match any instead of match default inspection traffic in step 7 of my instructions.
This should scan all prots for AIM.
Bryan
02-05-2007 11:58 AM
Bryan,
The problem with this configuration is that
not only it drops my AOL IM over port 23 but it
also drops legitimate telnet application over
port 23. Worse, it also drops my ssh as well.
Any more ideas?
David
02-05-2007 12:09 PM
Wow, that was unexpected. Obviously, thats not how this regex is supposed to work. I find it strange that it would drop ssh. SSH is encrypted, so you can't read anything to block it anyways. Thats why attacks using ssh are almost impossible to stop. Does your config look like this:
class-map global-class
match any
!
!
policy-map type inspect http AIM
parameters
protocol-violation action drop-connection
match request uri regex _default_aim-messenger
drop-connection log
policy-map global-policy
class global-class
inspect http AIM
!
service-policy global-policy global
If you have a similair set-up and are still unable to block AIM, then I'm out of ideas. I really don't understand how telnet and ssh would be clocked by the ASA because of this regex, though. Do the blocks show up in your log as being blocked by your service-policy?
Bryan
02-06-2007 11:51 AM
I just started playing around with these settings myself and I must say, pretty impressive. They are a little less intuitive than they could be.
try the following..it worked for me:
1) Create a new HTTP inspect map.
click on 'inspect maps' then 'http'. Enter a name and description. click 'customize' and uncheck 'check for protocol violations'. click 'ok'. click 'URL filtering' then 'add' and select the provided _default_aim-messenger regex and click 'ok'. click 'ok' again. click 'add'. click 'apply'.
2) enable the new HTTP inspection on tcp port 23.
click on 'security policy'->'add'. click 'Next'. check 'tcp or udp destination port' and click next. select 'telnet' as the service and click next. check 'http' and click 'configure'. select the HTTP inspect map you just created from the list and click 'ok'. click 'finish'.
02-06-2007 06:33 PM
class-map global-class
match port tcp eq telnet
!
!
policy-map type inspect http test
parameters
match request uri regex _default_aim-messenger
drop-connection log
policy-map global-policy
class global-class
inspect http test
!
service-policy global-policy global
It didn't work for me. I can still use AOL IM on telnet port. Can you post your config? I am running version 7.2(2). Thanks.
David
02-07-2007 07:12 AM
I tested that specific regex using a browser, not the actual AOL IM client, and it worked. The "_default_aim-messenger" regex does a case insensitive search for "http.proxy.icq.com". Do you know if that is correct? I would recommend getting a trace of the client and looking for that specific string in the URL.
I fired up an apache server on tcp port 23. When I connected with just http://www.server.com:23, the default page came up. When I connected with
http://www.server.com:23/http.proxy.icq.com I got a "page cannot be displayed" error. The request timed out and wasn't reset. It would be better if the Pix sent a reset, which is an option when configuring the inspection. I know it worked though because here is the log entry:
5 Feb 07 2007 09:05:49 415006
I would guess that the default regex is not correct, or at least not when used as a URL filter(i.e. regex matches somewhere else in HTTP request). Get that trace and find out if/where http.proxy.icq.com shows up.
02-07-2007 08:31 AM
FWIW, I just fired up AOL 6.0 --you owe me big for installing this crap;-)
Nowhere during the login process did I see "http.proxy.icq.com". I suspect that regex is no longer correct. Is this person using an external http proxy running on port 23 or what?
In any event, AIM V6 appears to use HTTPS for authentication. You probably will have to use an ACL or proxy-based URL filtering to block that. Another alternative is to block the DNS lookups that occur. This probably won't work if the user is using an http proxy and not doing direct DNS lookups (get a trace!). I created a custom DNS inspection map that blocks the domain name kdc.uas.aol.com. The standard AIM V6 client no longer works.
4 Feb 07 2007 10:28:34 410003
02-07-2007 09:35 AM
1) i am using AOL IM version 6.0.
I am NOT using any external http proxy, just
straight forward port 23.
Are you sure about it uses https for authentication because when I run tcpdump on
my checkpoint firewall, I did NOT see any https,
I only see port 23 and DNS udp port 53.
What you suggested will work but I do not want
to do that. It seems to me that Pix firewall
does not do "deep inspection" the way
checkpoint firewall does. As I've stated
earlier, I can do this with Checkpoint in 10
seconds. I don't want to deal with blocking
DNS because "smart" users know how to bypass
this security and hard-code the IP address
into AOL client (a few registries changes
is all it takes).
Thanks again for taking the time to go through
this exercise with me.
David
CCIE Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide