01-27-2010 01:31 AM - edited 03-09-2019 10:48 PM
Hello,
I'm using Cisco 1841 Router (IOS: 1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(1)XB) and i want to block p2p traffic in my network (Skype 4.1, MSN Messanger, Facebook ... ,). I tray with code in this post (read all forums with same problem) but without success (for new Skype v4.1):
!
fpm package-group Test
!
ip cef
ip inspect log drop-pkt
ip inspect name URL_Stupid http urlfilter
ip inspect name block_stupid appfw block_stupid
ip inspect name block_stupid icmp
ip inspect name block_stupid dns
ip inspect name block_stupid esmtp
ip inspect name block_stupid https
ip inspect name block_stupid imap reset
ip inspect name block_stupid pop3 reset
ip inspect name block_stupid tcp
ip inspect name block_stupid udp
!
!
ip name-server xxx.xxx.xxx.xxx
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .skype.com
ip urlfilter exclusive-domain deny .youtube.com
ip urlfilter exclusive-domain deny .ebay.com
ip urlfilter exclusive-domain deny .facebook.com
ip urlfilter exclusive-domain deny .messenger.hotmail.com
!
ip ips notify SDEE
ip ips name ips_rule
i
!
appfw policy-name block_stupid
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
!
load protocol flash://TCDF/ip.phdf
load protocol flash://TCDF/tcp.phdf
!
!
class-map match-any p2p_skype
match protocol skype
class-map match-any p2p_edonkey
match protocol edonkey
class-map match-any p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type stack match-all ip_tcp
match field IP protocol eq 6 next TCP
class-map match-any p2p
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol skype
match access-group 102
class-map match-any p2p_gnutella
match protocol gnutella
class-map type access-control match-all skype
match start TCP payload-start offset 0 size 4 eq 0x17030100
match start TCP payload-start offset 0 size 4 eq 0x16030100
class-map match-any p2p_bittorrent
match protocol bittorrent
!
!
policy-map type access-control child
class skype
log
drop
policy-map type access-control parent
class ip_tcp
service-policy child
policy-map Block_p2p
class p2p
drop
policy-map appfwp2p_Stupid_Protocol
class p2p_gnutella
drop
class p2p_bittorrent
drop
class p2p_edonkey
drop
class p2p_kazaa
drop
class p2p_skype
drop
!
!
!
interface FastEthernet0/1
description --LAN--
bandwidth 102400
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group ACL_OUT in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect URL_Stupid in
ip inspect block_stupid out
ip nat inside
ip ips ips_rule in
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
service-policy input Block_p2p
!
!
interface Dialer1
description --Internent--
bandwidth 200
ip ddns update hostname host.dyndns.org
ip ddns update ddns1
ip address negotiated
ip access-group ACL_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect block_stupid in
ip nat outside
ip ips ips_rule out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname emaster
ppp chap password xxxxxxxx
ppp pap sent-username emaster password xxxxxx
ppp ipcp dns request
ppp ipcp route default
no cdp enable
service-policy input appfwp2p_Stupid_Protocol
service-policy output appfwp2p_Stupid_Protocol
service-policy type access-control input parent
!
i
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip dns server
!
ip nat inside source route-map Std_NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended ACL_IN
.
.
.
.
ip access-list extended ACL_NAT
.
.
.
.
deny ip any any log
ip access-list extended ACL_OUT
.
.
.
ip access-list extended ACL_Vty
.
.
.
!
!
route-map Std_NAT permit 10
match ip address ACL_NAT
!
route-map Std_NAT1 permit 10
match ip address ACL_NAT
!
!
!
Please Help !?
02-11-2010 08:58 AM
I have the same problem here.
Did you find any solution? I am still doing a research.
How is the IOS you are running is it stable?
02-15-2010 12:55 AM
Hello,
I have not find any solutions about my problem. I read many tecnical post/documentations for old version Skype. This IOS is very stable.
Thank you.
02-21-2010 09:35 AM
Thanks for the info.
It is a pitty to read that.
Hopefully Cisco will improve NBAR and PDLMS -they told that at the cisco networkers, but we will see-.
Thanks to you ;-)
02-12-2010 12:38 PM
Use NBAR or Cisco IOS Flexible Packet Matching
=========================
NBAR Example:-
NBAR configuration to drop Skype packets
class−map match−any p2p
match protocol skype
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command
ip nbar protocol-discovery.
This will enable nbar discovery on your router.
Use following command:-
show ip nbar protocol-discovery stats bit-rate top-n 10
it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.
we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
=============
Cisco IOS Flexible Packet Matching
Step by step for your router, priovided you have the right Image:
also look at
http://web.archive.org/web/20080507093150rn_1/6200networks.com/2007/10/11/block-skype-using-ios/
02-15-2010 12:46 AM
08-02-2010 07:13 PM
There is only one way to stop block skype(well, at least only one I am aware of):
Every time user launches Skype, it would instantly look for a Super Node. It would also use the NUMERICAL address to connect and there is way to deny access to all numerical addresses using linux access lists, here's an example:
# Your acl definitions acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ acl connect method CONNECT # Apply your acls http access deny connect numerics_IPs all
Have a good one, hope that helps
08-02-2010 07:23 PM
Enable IPS on your router (provided you have enough DRAM).
08-02-2010 07:28 PM
Warning Indicators |
The following versions of Skype are vulnerable:
|
IT only works for old versions of Skype.
08-02-2010 07:42 PM
True, but ...
Normal Skype client usage will fire this signature.
09-01-2010 05:56 AM
Thanks leolaohoo. It did help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: