Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
3
Helpful
3
Replies

Can a layer 4 policy block IM traffic in IOS firewall?

jopontes
Level 1
Level 1

‎12-25-2008 12:37 PM - edited ‎03-11-2019 07:29 AM

Hi experts,

My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:

class-map match-all msn

match protocol imap

match access-group name Permited_MSN

ip access-list extended Permited_MSN

deny ip host 192.168.1.x

permit ip any any

!

policy-map msnmap

class msn

drop

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip pim dense-mode

ip nat inside

ip virtual-reassembly

service-policy input msnmap

Doing a show policy-map, we never see matched packets being dropped.

Cisco1811W#show policy-map interface bvi 1

BVI1

Service-policy input: msnmap

Class-map: msn (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol imap

Match: access-group name Permited_MSN

drop

Class-map: class-default (match-any)

1722583 packets, 929916071 bytes

5 minute offered rate 612000 bps, drop rate 0 bps

Match: any

Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy?

Any comment on this is highly appreciated.

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎12-26-2008 09:05 AM

The class map "MSN" will not work, The config is trying to match imap AND the access-list. IMAP has nothing to do with MSN.

Confirmation it is not working is in the policy-map lines:

"0 packets, 0 bytes"

To be honest using QoS (which is the policy map) is not the way to block this type of traffic. MSN has specific ports - depending on the version. The latest versions of MSN or Live Messenger will use HTTP.

HTH>

jopontes
Level 1
Level 1
In response to andrew.prince

‎12-26-2008 09:47 AM

Thank you Andrew!

I figured that this configuration had nothing to do with what the customer wants.

I am now configuring using the zone-based policies.

Configuring an Instant Messenger (IM) Policy

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1566338

However, this seems to have only match-any clause, which does not give the option to tie an acl to take an action only on certain IP traffic.

Is there any other way to accomplish it?

0 Helpful

andrew.prince
Level 10
Level 10
In response to jopontes

‎12-26-2008 10:17 AM

Mmmmm reading the link - I would kinda agree on that, however I have not had much experiance with the zone based firewall config. I do not have access to a router that supports this feature so cannot really see if multiple matches are available.

Sorry - perhaps another netpro has.

HTH>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card