How block Skype 4.1 (in Cisco router 1841)

Unanswered Question
Jan 27th, 2010

Hello,

I'm using Cisco 1841 Router (IOS: 1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(1)XB) and i want to block p2p traffic in my network (Skype 4.1, MSN Messanger, Facebook ... ,). I tray with code in this post (read all forums with same problem) but without success (for new Skype v4.1):

!
fpm package-group Test
!
ip cef
ip inspect log drop-pkt
ip inspect name URL_Stupid http urlfilter
ip inspect name block_stupid appfw block_stupid
ip inspect name block_stupid icmp
ip inspect name block_stupid dns
ip inspect name block_stupid esmtp
ip inspect name block_stupid https
ip inspect name block_stupid imap reset
ip inspect name block_stupid pop3 reset
ip inspect name block_stupid tcp
ip inspect name block_stupid udp

!

!

ip name-server xxx.xxx.xxx.xxx

ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .skype.com
ip urlfilter exclusive-domain deny .youtube.com
ip urlfilter exclusive-domain deny .ebay.com
ip urlfilter exclusive-domain deny .facebook.com
ip urlfilter exclusive-domain deny .messenger.hotmail.com

!

ip ips notify SDEE
ip ips name ips_rule
i
!
appfw policy-name block_stupid
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
!
load protocol flash://TCDF/ip.phdf
load protocol flash://TCDF/tcp.phdf
!
!
class-map match-any p2p_skype
match protocol skype
class-map match-any p2p_edonkey
match protocol edonkey
class-map match-any p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type stack match-all ip_tcp
match field IP protocol eq 6 next TCP
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match access-group 102
class-map match-any p2p_gnutella
match protocol gnutella
class-map type access-control match-all skype
match start TCP payload-start offset 0 size 4 eq 0x17030100
match start TCP payload-start offset 0 size 4 eq 0x16030100
class-map match-any p2p_bittorrent
match protocol bittorrent
!
!
policy-map type access-control child
class skype
   log
   drop
policy-map type access-control parent
class ip_tcp
  service-policy child
policy-map Block_p2p
class p2p
   drop
policy-map appfwp2p_Stupid_Protocol
class p2p_gnutella
   drop
class p2p_bittorrent
   drop
class p2p_edonkey
   drop
class p2p_kazaa
   drop
class p2p_skype
   drop
!
!
!
interface FastEthernet0/1
description --LAN--
bandwidth 102400
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group ACL_OUT in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect URL_Stupid in
ip inspect block_stupid out
ip nat inside
ip ips ips_rule in
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
service-policy input Block_p2p
!
!
interface Dialer1
description --Internent--
bandwidth 200
ip ddns update hostname host.dyndns.org
ip ddns update ddns1
ip address negotiated
ip access-group ACL_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect block_stupid in
ip nat outside
ip ips ips_rule out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname emaster
ppp chap password xxxxxxxx
ppp pap sent-username emaster password xxxxxx
ppp ipcp dns request
ppp ipcp route default
no cdp enable
service-policy input appfwp2p_Stupid_Protocol
service-policy output appfwp2p_Stupid_Protocol
service-policy type access-control input parent
!
i
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip dns server
!
ip nat inside source route-map Std_NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended ACL_IN
.

.

.

.
ip access-list extended ACL_NAT
.

.

.

.
deny   ip any any log
ip access-list extended ACL_OUT
.

.

.


ip access-list extended ACL_Vty
.

.

.


!
!
route-map Std_NAT permit 10
match ip address ACL_NAT
!
route-map Std_NAT1 permit 10
match ip address ACL_NAT
!
!
!


Please Help  !?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lmcruzhsa Thu, 02/11/2010 - 08:58

I have the same problem here.

Did you find any solution? I am still doing a research.

How is the IOS you are running is it stable?

durakovica Mon, 02/15/2010 - 00:55

Hello,

I have not find any solutions about my problem. I read many tecnical post/documentations for old version Skype. This IOS is very stable.

Thank you.

lmcruzhsa Sun, 02/21/2010 - 09:35

Thanks for the info.

It is a pitty to read that.

Hopefully Cisco will improve NBAR and PDLMS -they told that at the cisco networkers, but we will see-.

Thanks to you ;-)

Use NBAR or Cisco IOS Flexible Packet Matching

=========================

NBAR Example:-

NBAR configuration to drop Skype packets

class−map match−any p2p
match protocol  skype

policy−map block−p2p
class p2p
drop

int FastEthernet0
description PIX−facing interface
service−policy input block−p2p

If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command

ip nbar protocol-discovery.

This will enable nbar discovery on your router.

Use following command:-

show ip nbar protocol-discovery stats bit-rate top-n 10

it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.

we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.

Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp]  port-number

Up to 16 ports can be specified with this command. Port number values can  range from 0 to 65535

=============

Cisco IOS Flexible Packet Matching

Step by step for your router, priovided you have the right Image:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd80633b0a.html

also look at

http://web.archive.org/web/20080507093150rn_1/6200networks.com/2007/10/11/block-skype-using-ios/

durakovica Mon, 02/15/2010 - 00:46

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} Hello,

I read your post. I see this solutions before. This solutions works only for old version Skype. Skype version 4.1 bypass  skype-protocol
definition in IOS Cisco router. I have not tested with Cisco ASA!

Thank you.
CSCO11799264 Mon, 08/02/2010 - 19:13

There is only one way to stop block skype(well, at least only one I am aware of):

Every time user launches Skype, it would instantly look for a Super Node. It would also use the  NUMERICAL address to connect and there is way to deny access to all numerical addresses using linux access lists, here's an example:

# Your acl definitions
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT

# Apply your acls
http access deny connect numerics_IPs all

Have a good one, hope that helps

CSCO11799264 Mon, 08/02/2010 - 19:28
Warning Indicators

The following versions of Skype are vulnerable:

Skype for Windows Version 1.4.0.83 and prior
Skype for Mac OS X Version 1.3.0.16 and prior
Skype for Linux Version 1.2.0.17 and prior
Skype for Pocket PC Version 1.1.0.6 and prior

IT only works for old versions of Skype.

Leo Laohoo Mon, 08/02/2010 - 19:42

True, but ...

Normal Skype client usage will fire this signature.

Actions

This Discussion