02-19-2008 09:50 AM - edited 03-11-2019 05:04 AM
Hi.. All
Pls expain how can I block P2P Applications such as emule,Kazza etc with Modular Policy Framework?
Also to block certain file types to be uploaded to internal FTP server?
02-19-2008 10:08 AM
You must be knowing ASA/Pix(version7) has default classes for this type of traffic
Security-525(config-pmap-c)# sh run all class-map type inspect http
!
class-map type inspect http match-all _default_gator
match request header user-agent regex _default_gator
class-map type inspect http match-all default_kazaa
match none
class-map type inspect http match-all _default_msn-messenger
match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
match request args regex _default_gnu-http-tunnel_arg
match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
match request header host regex _default_firethru-tunnel_1
match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
match request header host regex _default_httport-tunnel
!
So you use the following commands to block for example Kaza
policy-map type inspect http filterp2p
Security-525(config-pmap-c)# policy-map global_policy
Security-525(config-pmap)# policy-map type inspect http filterp2p
Security-525(config-pmap)# class default_kazaa
Security-525(config-pmap-c)# drop-connection log
see if this helps !
02-19-2008 10:37 AM
I've been struggling with the following for
the past year without any solutions:
1- I want to block users from using
AOL Instant messenging. AOL can masquerade any
ports. I don't want to do a nslookup and
block the AOL destination. With Checkpoint,
this was not an issue via SmartDefense. How
can I do this with pix or asa devices?
2- How do I block nachi worm with Pix/ASA,
like this below:
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10
match ip address 199
match length 92 92
set interface Null0
interface F0/0
no ip unreachables
ip route-cache policy
ip policy route-map nachi-worm
I can do this with Checkpoint in 20 seconds.
With Pix, I don't know how.
02-19-2008 10:52 AM
GUIs are always a 20 seconds game..
02-19-2008 10:56 AM
so what are the solutions for pix/asa?
02-19-2008 11:10 AM
Hello Anish, please try my sample config that I posted for you and let me know if there is anything else I can help you with.
02-19-2008 06:18 PM
Hi.. ASHISH
Thanks Lot. I havent noticed the above default class maps. I will try it.
I also set my FTP policy to allow only certain file types. Can I use CSC module to inspect inbounf FTP files? If my ASA has AIP module populated and no room for CSC how can i use an antivirus program to inspect inbound FTP traffic?
02-20-2008 09:16 PM
hey Anish,,well if you have AIP/SSM module or CSC module then you actually a full fledged IPS mechanism and you can certainly monitor/block/reset inbound/outbound FTP files or ftp commands as well
You just need to configure AIP-SSM and turn on all the default signatures
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: