I wish to block P2p & IM but, I also deny Yahoo & Google web sites

Unanswered Question
May 29th, 2008
User Badges:

PIX 515E 7.0 (4)

Following http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

All commands excepted without problems however, yahoo/google are blocked - i can get onto cisco.com. Any ideas?

Here is the config followed by a hasty reload when the company couldn't surf.

class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp


service-policy global_policy global

: end




uk-pix# conf t

uk-pix(config)# http-map inbound_http

uk-pix(config-http-map)# content-length min 100 max 2000 action reset log

uk-pix(config-http-map)# content-type-verification match-req-rsp action reset$

uk-pix(config-http-map)# max-header-length request 100 action reset log

uk-pix(config-http-map)# max-uri-length 100 action reset log

uk-pix(config-http-map)# port-misuse p2p action drop

uk-pix(config-http-map)# port-misuse im action drop

uk-pix(config-http-map)# port-misuse default action allow

uk-pix(config-http-map)# exit

uk-pix(config)# class-map http-port

uk-pix(config-cmap)# match port tcp eq www

uk-pix(config-cmap)# exit

uk-pix(config)# policy-map inbound_policy

uk-pix(config-pmap)# class http-port

uk-pix(config-pmap-c)# inspect http inbound_http

uk-pix(config-pmap-c)# exit

uk-pix(config-pmap)# exit

uk-pix(config)# service-policy inbound_policy interface outside


uk-pix# rel

System config has been modified. Save? [Y]es/[N]o:

Proceed with reload? [confirm]


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
smahbub Wed, 06/04/2008 - 13:27
User Badges:
  • Silver, 250 points or more

The document present in the following link describes how to configure the Cisco Security Appliances PIX/ASA using Modular Policy Framework (MPF) in order to block the Peer-to-Peer (P2P) and Instant Messaging (IM), such as MSN Messenger and Yahoo Messenger, traffic from the inside network to the Internet. Also, this document provides information on how to configure the PIX/ASA in order to allow the two hosts to use IM applications while the rest of the hosts remain blocked.


geraghtyconor Wed, 06/04/2008 - 23:25
User Badges:

Thx BUT - that's the link I inserted above!! This procedure ASLO denies my users access to yahoo.co.uk and google.com. I JUST want to deny IM and P2P.


This Discussion