Hello folks,

I am trying to block messenger using Zone-based Policy for certain users from the local network. This is still lab environment recreation for a customer. It does not seem to work and I am not sure this is the right way of doing this in the ASA or even if it does really work at all.

Here is the sample of the configuration:

access-list 1 permit 192.168.1.11

access-list 2 permit 192.168.1.11

class-map type inspect msnmsgr match-any cm_msn

match service text-chat

match service any

class-map type inspect match-all msn_http

match protocol http

match access-group 2

class-map type inspect match-all msn_protocol

match protocol msnmsgr

match access-group 1

class-map type inspect http match-any msn_misuse

match request port-misuse im

match request port-misuse any

class-map type inspect match-any cm_internet_protocols

match protocol http

match protocol https

match protocol dns

match protocol icmp

match protocol imap

match protocol smtp extended

match protocol pop3

match protocol tcp

match protocol udp

!

policy-map type inspect http msn_http_map

class type inspect http msn_misuse

reset

class class-default

policy-map type inspect im pm_msn

class type inspect msnmsgr cm_msn

reset

class class-default

policy-map type inspect pm_smblab_outside

class type inspect cm_internet_protocols

inspect

class type inspect msn_protocol

inspect

service-policy im pm_msn

class type inspect msn_http

inspect

service-policy http msn_http_map

class class-default

!

zone security smblab

zone security outside

description TAC Lab

interface FastEthernet0

zone-member security outside

interface BVI1

zone-member security smblab

zone-pair security smb_out source smblab destination outside

service-policy type inspect pm_smblab_outside

Any insight on this is highly appreciated.

Best regards,

Jose Pontes