Modular Policy Framework

Unanswered Question
Feb 19th, 2008
User Badges:

Hi.. All

Pls expain how can I block P2P Applications such as emule,Kazza etc with Modular Policy Framework?

Also to block certain file types to be uploaded to internal FTP server?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Tue, 02/19/2008 - 10:08
User Badges:
  • Cisco Employee,

You must be knowing ASA/Pix(version7) has default classes for this type of traffic


Security-525(config-pmap-c)# sh run all class-map type inspect http

!

class-map type inspect http match-all _default_gator

match request header user-agent regex _default_gator

class-map type inspect http match-all default_kazaa

match none

class-map type inspect http match-all _default_msn-messenger

match response header content-type regex _default_msn-messenger

class-map type inspect http match-all _default_yahoo-messenger

match request body regex _default_yahoo-messenger

class-map type inspect http match-all _default_windows-media-player-tunnel

match request header user-agent regex _default_windows-media-player-tunnel

class-map type inspect http match-all _default_gnu-http-tunnel

match request args regex _default_gnu-http-tunnel_arg

match request uri regex _default_gnu-http-tunnel_uri

class-map type inspect http match-all _default_firethru-tunnel

match request header host regex _default_firethru-tunnel_1

match request uri regex _default_firethru-tunnel_2

class-map type inspect http match-all _default_aim-messenger

match request header host regex _default_aim-messenger

class-map type inspect http match-all _default_http-tunnel

match request uri regex _default_http-tunnel

class-map type inspect http match-all _default_kazaa

match response header regex _default_x-kazaa-network count gt 0

class-map type inspect http match-all _default_shoutcast-tunneling-protocol

match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol

class-map type inspect http match-all _default_GoToMyPC-tunnel

match request args regex _default_GoToMyPC-tunnel

match request uri regex _default_GoToMyPC-tunnel_2

class-map type inspect http match-all _default_httport-tunnel

match request header host regex _default_httport-tunnel

!

So you use the following commands to block for example Kaza



policy-map type inspect http filterp2p


Security-525(config-pmap-c)# policy-map global_policy

Security-525(config-pmap)# policy-map type inspect http filterp2p

Security-525(config-pmap)# class default_kazaa

Security-525(config-pmap-c)# drop-connection log



see if this helps !

cisco24x7 Tue, 02/19/2008 - 10:37
User Badges:
  • Silver, 250 points or more

I've been struggling with the following for

the past year without any solutions:


1- I want to block users from using

AOL Instant messenging. AOL can masquerade any

ports. I don't want to do a nslookup and

block the AOL destination. With Checkpoint,

this was not an issue via SmartDefense. How

can I do this with pix or asa devices?


2- How do I block nachi worm with Pix/ASA,

like this below:


access-list 199 permit icmp any any echo

access-list 199 permit icmp any any echo-reply

route-map nachi-worm permit 10

match ip address 199

match length 92 92

set interface Null0

interface F0/0

no ip unreachables

ip route-cache policy

ip policy route-map nachi-worm


I can do this with Checkpoint in 20 seconds.

With Pix, I don't know how.



abinjola Tue, 02/19/2008 - 10:52
User Badges:
  • Cisco Employee,

GUIs are always a 20 seconds game..

cisco24x7 Tue, 02/19/2008 - 10:56
User Badges:
  • Silver, 250 points or more

so what are the solutions for pix/asa?

abinjola Tue, 02/19/2008 - 11:10
User Badges:
  • Cisco Employee,

Hello Anish, please try my sample config that I posted for you and let me know if there is anything else I can help you with.

anishpeter Tue, 02/19/2008 - 18:18
User Badges:

Hi.. ASHISH

Thanks Lot. I havent noticed the above default class maps. I will try it.

I also set my FTP policy to allow only certain file types. Can I use CSC module to inspect inbounf FTP files? If my ASA has AIP module populated and no room for CSC how can i use an antivirus program to inspect inbound FTP traffic?

abinjola Wed, 02/20/2008 - 21:16
User Badges:
  • Cisco Employee,

hey Anish,,well if you have AIP/SSM module or CSC module then you actually a full fledged IPS mechanism and you can certainly monitor/block/reset inbound/outbound FTP files or ftp commands as well


You just need to configure AIP-SSM and turn on all the default signatures

Actions

This Discussion