05-09-2008 02:59 AM - edited 03-11-2019 05:42 AM
Hi everyone,
We have an ASA 5520 working since somedays, and we want now to block IM and P2P network traffic through our firewall. We asked our distributor and they send us a link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml
In this link we have information about blocking such traffic by modifying directly in the running-config file. Our question is whether we can find or not a way to do it using the GUI. We will fell safer if we do it like this.
In case there is no chance to do it through GUI, how should I proceed to modify running-config file.
Thank you.
05-15-2008 11:07 AM
Here is a sample for blocking IM and P2P
------------------------------------------------------------------------------------------
Create a class-map for http inspection
pix(config)# class-map http-port
pix(config-cmap)# match port tcp eq 80
pix(config-cmap)# exit
Create an http-map to specify parameters for inspect http
pix(config)# http-map inbound_http
pix(config-http-map)# content-length min 100 max 2000 action reset log
pix(config-http-map)# content-type-verification match-req-rsp action reset log
pix(config-http-map)# max-header-length request 100 action reset log
pix(config-http-map)# max-uri-length 100 action reset log
pix(config-http-map)# port-misuse p2p action drop
pix(config-http-map)# port-misuse im action drop
pix(config-http-map)# port-misuse default action allow
pix(config-http-map)# exit
Create a policy-map for http inspection
*pix(config)# policy-map inbound_policy
pix(config-pmap)# class http-port
pix(config-pmap-c)# inspect http inbound_http
pix(config-pmap-c)# exit
pix(config-pmap)# exit
If necessary create a service-policy or use the default-inspection policy:
pix(config)# service-policy inbound_policy interface outside
05-30-2008 06:13 AM
hi hadbou,
thank you very much for your answer.
There's just a little point on it. I'm able to create the class-map and the police map fine. Unfortunately when I tried to create an http-map to specify parameters for inspecting http I received the message"This command has been deprecated. Use 'policy-map type inspect http'" and at this point, I don't know how to go on.
I supposed I have a newer version, an such a command is not working any longer. how should I do it?
Thank you for your posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide