David Stanford Tue, 05/22/2007 - 19:00
User Badges:
  • Cisco Employee,

I believe the ports used by this application are from 6881 to 6999. If you want to block these ports please take a look at

the commands below


access-list outbound_access deny tcp any any range 6881 6999

access-list outbound_access permit ip any any

access-group outbound_access in interface inside


You can also permit any ports you would like to include



for PIX 7.X you can look at the following


PIX 7.01 does have a command to block p2p traffic. Please refer to the PIX 7.0 command reference for the "port-misuse" feature:



http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/mr.htm#wp1630589


First we start out with our examples so you can see yourself move around

within the pix as


the prompts change to get used to the new sub-menus that have been created

in the pix.


----------------------------------------------------------------------------

------------------------------------------------------------


Create a class-map for http inspection


pix(config)# class-map http-port


pix(config-cmap)# match port tcp eq 80


pix(config-cmap)# exit




Create an http-map to specify parameters for inspect http


pix(config)# http-map inbound_http


pix(config-http-map)# content-length min 100 max 2000 action reset log


pix(config-http-map)# content-type-verification match-req-rsp action reset

log


pix(config-http-map)# max-header-length request 100 action reset log


pix(config-http-map)# max-uri-length 100 action reset log


pix(config-http-map)# port-misuse p2p action drop


pix(config-http-map)# port-misuse default action allow


pix(config-http-map)# exit




Create a policy-map for http inspection


* pix(config)# policy-map inbound_policy


pix(config-pmap)# class http-port


pix(config-pmap-c)# inspect http inbound_http


pix(config-pmap-c)# exit


pix(config-pmap)# exit




If necessary create a service-policy or use the default-inspection policy


pix(config)# service-policy inbound_policy interface outside




*Attach the policy-map for http inspection to an interface (an existing

policy map could


also be used).




This ends up in the config as:


--------------------------------------------------------------------------


class-map http-port


match port tcp eq 80


class-map http-port8080


match port tcp eq 8080


.


http-map inbound_http


content-length min 100 max 2000 action reset log


content-type-verification match-req-rsp action reset log


max-header-length request 100 action reset log


max-uri-length 100 action reset log


port-misuse p2p action drop


port-misuse default action allow


.


policy-map inbound_policy


class http-port


inspect http inbound_http


class http-port8080


inspect http inbound_http


.


service-policy inbound_policy interface outside


--------------------------------------------------------------------------




If you notice, you can add more ports via class-maps which tie to the

inbound_policy we


created to tie to the interface. I haven't tested this yet but you can set

the


port-misuse default action to allow which we did above so you should be able

to inspect


other ports that are being used without blocking anything that you're

currently doing as


long as the P2P headers aren't found in the packets.




Essentially this will cause the pix to block the P2P applications while

still allowing


normal traffic over port 80/8080.




network770 Fri, 08/26/2011 - 09:00
User Badges:

i have an asa running 8.2

is this the right way of doing it or using an aip-ssm module? or both?

Actions

This Discussion