blocking AOL instant messenger using telnet port with Cisco Pix 7.x

Unanswered Question
Feb 23rd, 2007

According to Bryan from Cisco System TAC:

Step 1: Launch ASDM

Step 2: Click on the Configuration button at the top of the page

Step 3: Click on the Security Policy button on the left.

Step 4: Click on the Service Policy Rules Tab

Step 5: If you don't have a Service Policy already, create one by clicking on the green plus sign next to the word Add.

If you do already have a Service Policy, select the class (it should now be highlighted in blue),

then click the green plus sign next to the work Add.

Step 6: Choose the Second Radio button - Global - applies to all interfaces, then click next.

I name the "Policy Name" as block_AIM_via_telnet

Step 7: Leave Create a new traffic class selected and put a check mark next to Default Inspection Traffic under Traffic match criteria and click next

Step 8: Select http and click next

Step 9: Select HTTP and click the configure button directly to the right of HTTP

Step 10: Select the 'Select a HTTP inspect map for fine control over inspection' radio button, then click on the Add button that is now activated

Step 11: On this screen, Give this new class a name. Then click the URI Filtering... button on the bottom right of the page

Step 12: click on Add

Step 13: In the drop down menu for regular Expression, select _default_aim-messenger. In here I select "check protocol violations" as drop connections

Step 14: Click ok

Step 15: Click ok

Step 16: Click ok

Step 17: Click ok

Step 18: Click finish

Step 19: Click Apply

This will set up your ASA to look for and block AIM. I know this might seem like a lot of steps, but like every GUI, once you get used to it, it really takes no time at all.

Bryan

------------------------

According to Replied by: cisconoobie - Feb 23, 2007, 6:31am PST

The steps Bryan showed are correct but there is a bug with version 7.2 and http inspections.

You have to make sure "protocol violations" is set to log only and inspection set to

drop connection. If you dont set to "log only", it will drop things like activex and some

other things passing through http.

-------------------------

I followed the instructions as spelled out by both Bryan and Cisconoobie and I still can use AOL

IM App to connection to AOL Server on either port 23 (telnet) or port 25 (smtp).

The instructions, to me, seem to do with blocking AOL IM App from using http port, correct.

Because clearly, it is not working in my case because I am using port 23 to connect to AOL Server

which the pix clearly doesn't know how to inspect AOL traffics masquerading as telnet traffics.

Comments anyone? Thanks.

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jgervia_2 Sun, 02/25/2007 - 18:20

Not sure if this will work, try this

(this assumes global_policy exists)

class-map telnet

match port tcp eq telnet

policy-map type inspect im im-block

parameters

match protocol msn-im yahoo-im

drop-connection

policy-map global_policy

class telnet

inspect im im-block

In theory that should block msn and yahoo, though I don't have any way to verify testing of that.

--Jason

Please rate this message if it would helps solve some/all of your issue/problem.

Actions

This Discussion