Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
2
Replies

P2P and IM blocking with ASA 5520 using GUI

david.fernandez.fernandez
Level 1
Level 1

‎05-09-2008 02:59 AM - edited ‎03-11-2019 05:42 AM

Hi everyone,

We have an ASA 5520 working since somedays, and we want now to block IM and P2P network traffic through our firewall. We asked our distributor and they send us a link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

In this link we have information about blocking such traffic by modifying directly in the running-config file. Our question is whether we can find or not a way to do it using the GUI. We will fell safer if we do it like this.

In case there is no chance to do it through GUI, how should I proceed to modify running-config file.

Thank you.

Labels:
0 Helpful
2 Replies 2

hadbou
Level 5
Level 5

‎05-15-2008 11:07 AM

Here is a sample for blocking IM and P2P

------------------------------------------------------------------------------------------

Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

*pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy:

pix(config)# service-policy inbound_policy interface outside

0 Helpful

david.fernandez.fernandez
Level 1
Level 1
In response to hadbou

‎05-30-2008 06:13 AM

hi hadbou,

thank you very much for your answer.

There's just a little point on it. I'm able to create the class-map and the police map fine. Unfortunately when I tried to create an http-map to specify parameters for inspecting http I received the message"This command has been deprecated. Use 'policy-map type inspect http'" and at this point, I don't know how to go on.

I supposed I have a newer version, an such a command is not working any longer. how should I do it?

Thank you for your posts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card