MPF: Reset existing IM sessions.

Answered Question
Aug 15th, 2010

Hello.

I'm trying to block IM with MPF. I have managed to block new log in and chat, but when the user is allready logged in, the session do not terminate.

The MPF config is:

******************************************************************

class-map all_netuse

match any

policy-map type inspect im stop_im_policy
param
match prot msn
reset

policy-map stop_im
class all_netuse
inspect im stop_im_policy

service-policy stop_im interface inside

******************************************************************

I just use this config for test. I'm supposed to use a time range to activate it so that the users can use msn for a spesific time.

So the problem is that when I assign the policy to the inside interface users can continue using msn if they are allready logged in.

What can I do to reset the existing connections?

Regards,

Jon A.

I have this problem too.
0 votes
Correct Answer by Andrew Ossipov about 6 years 3 months ago

One solution would be to set up an expect-like script on a local host that would SSH into the ASA at a certain time of day (i.e. a cron job) and issue 'clear conn port ' commands with being the TCP port for each respective IM service. Not the ideal solution, but gets the job done.

Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kureli Sankar Sun, 08/15/2010 - 14:17

You need to clear xlate which will clear all translations through the box or you can specifically issue "clear local x.x.x.x" for

specific client IP address to clear the connections established by a certain IP address.

-KS

jon.aril.antonsen Mon, 08/16/2010 - 11:53

Hi Kusankar.

I know about the clear xlate, but I haven't been able to implement it in the MPF config.

Is there a way to do that?

Regards,

Jon A.

jon.aril.antonsen Mon, 08/16/2010 - 12:21

OH NO!!

The time range I'm supposed to use kickes in several times and different times avery day trough out the week.

Any other ideas on how to do this without having to log in and type the command manually?

Jon

Kureli Sankar Mon, 08/16/2010 - 12:58

Well in that case. Just pick a time in the middle of the night when the load is light and put the MPF in place and issue

"clear xlate". This will clear all translations through the box but these will quickly re-establish and on one will even find out.

-KS

jon.aril.antonsen Mon, 08/16/2010 - 13:06

OK, let me describe the problem in another way.

The users are supposed to be allowed to use msn on monday 10am to 11am and 1pm to 3pm, on tuesday 9am to 10am, 1pm to 2pm and 5pm to 8pm.

And since I'm not around all the time to issue the clear xlate i was hoping to use an ACL and MPF with a time range. But since the users can continue the chat they have active when the time comes I do have a problem.

I'm pulling my hair on this....

Jon

Correct Answer
Andrew Ossipov Mon, 08/16/2010 - 15:34

One solution would be to set up an expect-like script on a local host that would SSH into the ASA at a certain time of day (i.e. a cron job) and issue 'clear conn port ' commands with being the TCP port for each respective IM service. Not the ideal solution, but gets the job done.

Andrew

Kureli Sankar Mon, 08/16/2010 - 15:51

Jon,

You really need a tool like websense/n2h2. The last I checked it a few years ago when I was outside of Cisco it was pretty pricy about $20 a seat.

You can contol 5 min. of ebay during lunch time and 15 min. chess on yahoo and get a detailed report of the users browsing data if needed.

-KS

jon.aril.antonsen Tue, 08/17/2010 - 04:19

Hi.

I could use websense, but that would just give me the same result. When the connection is already established websense do not disconnect it.

The way aossipov describes would be a better way then.

But I cant say I'm satisfied with this. There must be a way to control this on the FW. This is Cisco for Gods sake :-))) I know that on a Juniper box all connections are dropped when an acl is disabled. I must find a way to to it on my Cisco box to...I must

Jon

Kureli Sankar Tue, 08/17/2010 - 05:20

Jon,

Websense would defenitely work for you.  Every get request will be sent over to the websense server whether or not you have an established connection in the table.  I think you should get a 30 day trial and test it out.  I was very impressed when we tested it 3 years ago.

-KS

jon.aril.antonsen Tue, 08/17/2010 - 05:42

Cool, I did not know that. I will try websense

as soon as possible.

Cheers for your help :-)

Jon A.

Andrew Ossipov Tue, 08/17/2010 - 09:16

It would only work for MSNP tunnelled through HTTP which is the non-default behavior. By default, the standalone client connects to the server at port TCP/1863 and does not use HTTP.

Andrew

jon.aril.antonsen Tue, 08/17/2010 - 12:45

Hi.

That was also something to think about. The websense integration with ASA only filters http. It might work with websense gateway. The other and the biggest problem with websense is the pricing. I have to solve this without spending to much money.

So I guess the expect-script Aossipov mentioned would be the best solution. Could you point me in the right direction Aossipov? I have serched for expect-script an found a lot of samples, but I haven't found the program for it. I hope you can help me with this.

Jon

Andrew Ossipov Tue, 08/17/2010 - 15:24

Hello Jon,

At a very rudimentary level, here's something that would clear all connections involving port 1863 (10.1.1.1 is the ASA management IP, 'username' is the user and 'password' is their password, and 'enable_password' is the enable):

#!/usr/local/bin/expect -f

set send_slow {5 0.005}
spawn ssh2 -c 3des -l username 10.1.1.1
set SSH $spawn_id
set timeout 3
expect {
        "to continue connecting" {
                send "yes\n"}
        timeout {}}
expect "ssword:"
send -s "password\n"
expect "ASA>"
send -s "en\n"
expect "ssword:"
send -s "enable_password\n"
expect "ASA#"
send -s "clear conn port 1863\n"
expect "ASA#"
send "logout\n"
catch "close -i $SSH"
catch "wait -i $SSH"
exit

Andrew

jon.aril.antonsen Wed, 08/18/2010 - 06:14

Hi Aossipov.

You didn't have to make the script for me, but thanks :-) I was hoping you knew hver to get the expect program for windows. The one I found was for unix.

Since the expect script will be the best solution in this case I will mark your first reply as "Correct Answer"

Jon.

Andrew Ossipov Wed, 08/18/2010 - 16:10

Hello Jon,

My apologies as I had misread your question. While using a Linux/*NIX host would be the best approach, I suspect you can do something similar under Windows with Putty/Plink (command line SSH client). There's also a port of expect for Win32, but I'm not sure how much installation effort is involved.

Thanks!

Andrew

jon.aril.antonsen Thu, 08/19/2010 - 03:56

Hi Andrew.

No worries, I guess I didn't write anything about my preffered os either :-s

I looked at Plink, and it looks like it will do the trick. I appreciate all your help.

Jon

Actions

This Discussion

Related Content