Blocking Skype 4.1 in Cisco 1841

Unanswered Question
Jan 25th, 2010

I'm using Cisco 1841 Router (IOS: 1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(1)XB) and i want to block p2p traffic in my network (Skype, MSN Messanger, Facebook ... ,). I tray with code in this post (read all forums with this problem) but without success (only for Skype v4.1):

!
fpm package-group Test
!
ip cef
ip inspect log drop-pkt
ip inspect name URL_Stupid http urlfilter
ip inspect name block_stupid appfw block_stupid
ip inspect name block_stupid icmp
ip inspect name block_stupid dns
ip inspect name block_stupid esmtp
ip inspect name block_stupid https
ip inspect name block_stupid imap reset
ip inspect name block_stupid pop3 reset
ip inspect name block_stupid tcp
ip inspect name block_stupid udp

!

!

ip name-server xxx.xxx.xxx.xxx

ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .skype.com
ip urlfilter exclusive-domain deny .youtube.com
ip urlfilter exclusive-domain deny .ebay.com
ip urlfilter exclusive-domain deny .facebook.com
ip urlfilter exclusive-domain deny .messenger.hotmail.com

!

ip ips notify SDEE
ip ips name ips_rule
i
!
appfw policy-name block_stupid
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
!
load protocol flash://TCDF/ip.phdf
load protocol flash://TCDF/tcp.phdf
!
!
class-map match-any p2p_skype
match protocol skype
class-map match-any p2p_edonkey
match protocol edonkey
class-map match-any p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type stack match-all ip_tcp
match field IP protocol eq 6 next TCP
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match access-group 102
class-map match-any p2p_gnutella
match protocol gnutella
class-map type access-control match-all skype
match start TCP payload-start offset 0 size 4 eq 0x17030100
match start TCP payload-start offset 0 size 4 eq 0x16030100
class-map match-any p2p_bittorrent
match protocol bittorrent
!
!
policy-map type access-control child
class skype
   log
   drop
policy-map type access-control parent
class ip_tcp
  service-policy child
policy-map Block_p2p
class p2p
   drop
policy-map appfwp2p_Stupid_Protocol
class p2p_gnutella
   drop
class p2p_bittorrent
   drop
class p2p_edonkey
   drop
class p2p_kazaa
   drop
class p2p_skype
   drop
!
!
!
interface FastEthernet0/1
description --LAN--
bandwidth 102400
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group ACL_OUT in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect URL_Stupid in
ip inspect block_stupid out
ip nat inside
ip ips ips_rule in
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
service-policy input Block_p2p
!
!
interface Dialer1
description --Internent--
bandwidth 200
ip ddns update hostname host.dyndns.org
ip ddns update ddns1
ip address negotiated
ip access-group ACL_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect block_stupid in
ip nat outside
ip ips ips_rule out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname emaster
ppp chap password xxxxxxxx
ppp pap sent-username emaster password xxxxxx
ppp ipcp dns request
ppp ipcp route default
no cdp enable
service-policy input appfwp2p_Stupid_Protocol
service-policy output appfwp2p_Stupid_Protocol
service-policy type access-control input parent
!
i
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip dns server
!
ip nat inside source route-map Std_NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended ACL_IN
.

.

.

.
ip access-list extended ACL_NAT
.

.

.

.
deny   ip any any log
ip access-list extended ACL_OUT
.

.

.


ip access-list extended ACL_Vty
.

.

.


!
!
route-map Std_NAT permit 10
match ip address ACL_NAT
!
route-map Std_NAT1 permit 10
match ip address ACL_NAT
!
!
!


Please Help  !?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion