P2P and IM blocking with ASA 5520 using GUI

Unanswered Question
May 9th, 2008

Hi everyone,

We have an ASA 5520 working since somedays, and we want now to block IM and P2P network traffic through our firewall. We asked our distributor and they send us a link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

In this link we have information about blocking such traffic by modifying directly in the running-config file. Our question is whether we can find or not a way to do it using the GUI. We will fell safer if we do it like this.

In case there is no chance to do it through GUI, how should I proceed to modify running-config file.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Thu, 05/15/2008 - 11:07

Here is a sample for blocking IM and P2P


Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

*pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy:

pix(config)# service-policy inbound_policy interface outside

david.fernandez... Fri, 05/30/2008 - 06:13

hi hadbou,

thank you very much for your answer.

There's just a little point on it. I'm able to create the class-map and the police map fine. Unfortunately when I tried to create an http-map to specify parameters for inspecting http I received the message"This command has been deprecated. Use 'policy-map type inspect http'" and at this point, I don't know how to go on.

I supposed I have a newer version, an such a command is not working any longer. how should I do it?

Thank you for your posts.


This Discussion