How do I Block IM File Transfer

Unanswered Question
Jul 19th, 2007

I'm trying to block MSN and Yahoo! messenger file transfers, while still allowing chat and other services. The problem I get is when I try to apply the inspect rules in my policy I get an error that I can't have multiple inspect rules

Error:

==============

ASA01(config)# policy-map MyInsidePolicy

ASA01(config-pmap)# class ALL

ASA01(config-pmap-c)# inspect http WebMSN

ASA01(config-pmap-c)# inspect im BlockMSN

ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

ASA01(config-pmap-c)#

==============

This is my config so far:

==============

class-map ALL

match any

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect http WebMSN

parameters

protocol-violation action drop-connection

class _default_msn-messenger

drop-connection log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http

policy-map type inspect im BlockMSN

description To Block MSN

parameters

match service file-transfer

drop-connection log

policy-map type inspect im BlockYahoo

parameters

match service file-transfer

drop-connection log

policy-map MyInsidePolicy

class ALL

inspect http WebMSN

!

service-policy global_policy global

==============

I also get this:

==============

ASA01(config-pmap-c)# class-map ALL

ASA01(config-cmap)# match default-inspection-traffic

ERROR: This match command can only coexist with 'match access-list'

ASA01(config-cmap)#

==============

What is the proper way to accomplish this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htarra Wed, 07/25/2007 - 13:27

I think you should create a seperate class for all the protocols that you want to inspect and then group all these classes under a policy-map and then apply this to the interface using service-policy command. You may also try adding the "match default-inspection-traffic" command to the associate class-map. After doing this, you will be allowed to add the additional inspect statements to the same policy-map, however this is not how the config should be done and you may get erors at some later stage. I think it will be better to use Websense server to block the MSN or Yahoo file transfer.

Actions

This Discussion