05-08-2008 12:14 PM - edited 03-11-2019 05:42 AM
I just installed an ASA5510. Cisco is brand new to me, and I'm still struggling with writing rules for the thing.
I have some understanding, having worked previously with an old Livingston firewall. Also read the O'Reilly Firewall book :)
I was looking at the firewall dashboard and it showed Bit Torrent taking up about 40% of the total traffic for the last hour. The ASA5510 dashboard seems to have detected that on it's own, I don't have anything specific written to trap BT.
I'd like to know, is there information I can pull out of the thing? Can I tell which of my internal hosts is generating this traffic without writing a specific trap to log?
And, is there a one-liner I can write under Configuration/Firewall, to block Bit Torrent? It's against a company policy here to be using it anyway.
Fred
05-09-2008 08:58 AM
Hello Fred,
"is there a one-liner I can write under Configuration/Firewall, to block Bit Torrent? It's against a company policy here to be using it anyway"
You may need to work with Modular Policy Frame work in your firewall, totally agree with you violating of company policy and most importantly users eating up your internet bandwidth by downloading non-work-related files by using peer to peer downloads.
Working with MPF for blocking PtP file transfers.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml#conf
You may also reference this link to get an idea of most common internet services TCP ports information inlcuding Bittoren and other internet file shariing services.
http://www.chebucto.ns.ca/~rakerman/port-table.html
"I was looking at the firewall dashboard and it showed Bit Torrent taking up about 40% of the total traffic for the last hour. The ASA5510 dashboard seems to have detected that on it's own, I don't have anything specific written to trap BT."
As for this one you should be able to see in ASDM realtime syslog by looking at the TCP/UDP connecting teardown who may be using Bitoren, look at source and destination in the logs.
You may also if you have an inside router connected to ASA5500 firewall to do netflow or ip accounting which may show you top talkers for bandwith, or if router does not support netflow you could enable ip route-cache flow on router interface connecting to ASA firewall.
netflow
http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
free netflow collectors
Rgds
-Jorge
PLS Rate any helpfull posts
05-09-2008 09:13 AM
And: is there a chance that the ASA5510 has caleld it BitTorrent, just because of the port number (6881), when perhaps it's not BitTorrent at all?
Fred
05-09-2008 10:24 AM
Fred,
There is a well know internet services port numbers in the link I posted http://www.chebucto.ns.ca/~rakerman/port-table.html , you would need to fruther investigate destination IP versus TCP port numbers that your clients are using and investigate destination public IP address by whois etc.. to pin point who the destination belongs to.
You may consider (CSC) Security Services Module add-on
http://www.cisco.com/en/US/products/ps6823/index.html
Rgds
-Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: