12-25-2008 12:37 PM - edited 03-11-2019 07:29 AM
Hi experts,
My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:
class-map match-all msn
match protocol imap
match access-group name Permited_MSN
ip access-list extended Permited_MSN
deny ip host 192.168.1.x
permit ip any any
!
policy-map msnmap
class msn
drop
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip pim dense-mode
ip nat inside
ip virtual-reassembly
service-policy input msnmap
Doing a show policy-map, we never see matched packets being dropped.
Cisco1811W#show policy-map interface bvi 1
BVI1
Service-policy input: msnmap
Class-map: msn (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol imap
Match: access-group name Permited_MSN
drop
Class-map: class-default (match-any)
1722583 packets, 929916071 bytes
5 minute offered rate 612000 bps, drop rate 0 bps
Match: any
Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy?
Any comment on this is highly appreciated.
12-26-2008 09:05 AM
The class map "MSN" will not work, The config is trying to match imap AND the access-list. IMAP has nothing to do with MSN.
Confirmation it is not working is in the policy-map lines:
"0 packets, 0 bytes"
To be honest using QoS (which is the policy map) is not the way to block this type of traffic. MSN has specific ports - depending on the version. The latest versions of MSN or Live Messenger will use HTTP.
HTH>
12-26-2008 09:47 AM
Thank you Andrew!
I figured that this configuration had nothing to do with what the customer wants.
I am now configuring using the zone-based policies.
Configuring an Instant Messenger (IM) Policy
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1566338
However, this seems to have only match-any clause, which does not give the option to tie an acl to take an action only on certain IP traffic.
Is there any other way to accomplish it?
12-26-2008 10:17 AM
Mmmmm reading the link - I would kinda agree on that, however I have not had much experiance with the zone based firewall config. I do not have access to a router that supports this feature so cannot really see if multiple matches are available.
Sorry - perhaps another netpro has.
HTH>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: