P2P and IM blocking with ASA 5520 using GUI

Unanswered Question
May 9th, 2008
User Badges:

Hi everyone,

We have an ASA 5520 working since somedays, and we want now to block IM and P2P network traffic through our firewall. We asked our distributor and they send us a link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

In this link we have information about blocking such traffic by modifying directly in the running-config file. Our question is whether we can find or not a way to do it using the GUI. We will fell safer if we do it like this.

In case there is no chance to do it through GUI, how should I proceed to modify running-config file.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Thu, 05/15/2008 - 11:07
User Badges:
  • Bronze, 100 points or more

Here is a sample for blocking IM and P2P


Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

*pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy:

pix(config)# service-policy inbound_policy interface outside

david.fernandez... Fri, 05/30/2008 - 06:13
User Badges:

hi hadbou,

thank you very much for your answer.

There's just a little point on it. I'm able to create the class-map and the police map fine. Unfortunately when I tried to create an http-map to specify parameters for inspecting http I received the message"This command has been deprecated. Use 'policy-map type inspect http'" and at this point, I don't know how to go on.

I supposed I have a newer version, an such a command is not working any longer. how should I do it?

Thank you for your posts.


This Discussion