Hello folks,
I am trying to block messenger using Zone-based Policy for certain users from the local network. This is still lab environment recreation for a customer. It does not seem to work and I am not sure this is the right way of doing this in the ASA or even if it does really work at all.
Here is the sample of the configuration:
access-list 1 permit 192.168.1.11
access-list 2 permit 192.168.1.11
class-map type inspect msnmsgr match-any cm_msn
match service text-chat
match service any
class-map type inspect match-all msn_http
match protocol http
match access-group 2
class-map type inspect match-all msn_protocol
match protocol msnmsgr
match access-group 1
class-map type inspect http match-any msn_misuse
match request port-misuse im
match request port-misuse any
class-map type inspect match-any cm_internet_protocols
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol imap
match protocol smtp extended
match protocol pop3
match protocol tcp
match protocol udp
!
policy-map type inspect http msn_http_map
class type inspect http msn_misuse
reset
class class-default
policy-map type inspect im pm_msn
class type inspect msnmsgr cm_msn
reset
class class-default
policy-map type inspect pm_smblab_outside
class type inspect cm_internet_protocols
inspect
class type inspect msn_protocol
inspect
service-policy im pm_msn
class type inspect msn_http
inspect
service-policy http msn_http_map
class class-default
!
zone security smblab
zone security outside
description TAC Lab
interface FastEthernet0
zone-member security outside
interface BVI1
zone-member security smblab
zone-pair security smb_out source smblab destination outside
service-policy type inspect pm_smblab_outside
Any insight on this is highly appreciated.
Best regards,
Jose Pontes