05-22-2007 01:13 PM
How can I deny all bittorent traffic on a Cisco PIX/ASA
05-22-2007 07:00 PM
I believe the ports used by this application are from 6881 to 6999. If you want to block these ports please take a look at
the commands below
access-list outbound_access deny tcp any any range 6881 6999
access-list outbound_access permit ip any any
access-group outbound_access in interface inside
You can also permit any ports you would like to include
for PIX 7.X you can look at the following
PIX 7.01 does have a command to block p2p traffic. Please refer to the PIX 7.0 command reference for the "port-misuse" feature:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/mr.htm#wp1630589
First we start out with our examples so you can see yourself move around
within the pix as
the prompts change to get used to the new sub-menus that have been created
in the pix.
----------------------------------------------------------------------------
------------------------------------------------------------
Create a class-map for http inspection
pix(config)# class-map http-port
pix(config-cmap)# match port tcp eq 80
pix(config-cmap)# exit
Create an http-map to specify parameters for inspect http
pix(config)# http-map inbound_http
pix(config-http-map)# content-length min 100 max 2000 action reset log
pix(config-http-map)# content-type-verification match-req-rsp action reset
log
pix(config-http-map)# max-header-length request 100 action reset log
pix(config-http-map)# max-uri-length 100 action reset log
pix(config-http-map)# port-misuse p2p action drop
pix(config-http-map)# port-misuse default action allow
pix(config-http-map)# exit
Create a policy-map for http inspection
* pix(config)# policy-map inbound_policy
pix(config-pmap)# class http-port
pix(config-pmap-c)# inspect http inbound_http
pix(config-pmap-c)# exit
pix(config-pmap)# exit
If necessary create a service-policy or use the default-inspection policy
pix(config)# service-policy inbound_policy interface outside
*Attach the policy-map for http inspection to an interface (an existing
policy map could
also be used).
This ends up in the config as:
--------------------------------------------------------------------------
class-map http-port
match port tcp eq 80
class-map http-port8080
match port tcp eq 8080
.
http-map inbound_http
content-length min 100 max 2000 action reset log
content-type-verification match-req-rsp action reset log
max-header-length request 100 action reset log
max-uri-length 100 action reset log
port-misuse p2p action drop
port-misuse default action allow
.
policy-map inbound_policy
class http-port
inspect http inbound_http
class http-port8080
inspect http inbound_http
.
service-policy inbound_policy interface outside
--------------------------------------------------------------------------
If you notice, you can add more ports via class-maps which tie to the
inbound_policy we
created to tie to the interface. I haven't tested this yet but you can set
the
port-misuse default action to allow which we did above so you should be able
to inspect
other ports that are being used without blocking anything that you're
currently doing as
long as the P2P headers aren't found in the packets.
Essentially this will cause the pix to block the P2P applications while
still allowing
normal traffic over port 80/8080.
08-26-2011 09:00 AM
i have an asa running 8.2
is this the right way of doing it or using an aip-ssm module? or both?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide