cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2469
Views
0
Helpful
9
Replies

ASDM and access rules

Jason Sypolt
Level 1
Level 1

Can anyone give me a quick walkthrough on how to set up an access rule to block a TCP port? I need to stop people from playing a game (World of Warcraft) and I need to block 3724. I've tried various combinations of inside outgoping, inside incoming and I just can't seem to get it. I would really appreciate some help with configuring this through the ASDM GUI.

1 Accepted Solution

Accepted Solutions

Hi,

Jeetu thanks for the information. That is very useful. However the port 3724 is the one that is used for hosting the game. Rest of the ports are just used for downloading the patches by the Blizzard Support. I think just blocking 3724 should be enough. However as per documentation on Blizzard Support Site they have mentioned the following ports to be opened in order to run this. 3724, 6112, 6113, 6114 and 4000. http://us.blizzard.com/support/article.xml?locale=en_US&articleId=21077

I think we can start by blocking 3724 and of it does not help we can move on to blocking other ports as well. Moreover Jason please send the running config or the screenshot of the ACL you are configuring using the ASDM,

Regards,

Namit

View solution in original post

9 Replies 9

Namit Agarwal
Cisco Employee
Cisco Employee

Jason,

What is the version of the ASDM and the ASA code you are running  ?

Namit

Sorry, forgot to include that. It is ASDM 5.2(3) on an ASA 5505 7.2(3)

Jason

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/aclrules.html hope this helps it is for ASDM 5.2

Regards,

Namit

And I'm assuming that I need to block this game on the inside network since you start the client and it connects to the external game servers.

So I was trying to add an outgoing deny rule on the inside network for any source, any destination that has a source port of 3724.

Jason,

Have you blocked IP traffc or only UDP or TCP. Please block both UDP and TCP.

Ya that should do the trick deny any connection with source port 3724 with any source IP  any destination IP . The ACL will be applied on the inside interface in the inward direction. Also make sure that this should be top of the ACL entries as there might be a permit entry allowing this traffic before it hits the deny rule.

Can you please send the running config or at least the ACL you have applied


Regards,

Namit

Namit Agarwal
Cisco Employee
Cisco Employee

Jason

I hope this helps http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/aclrules.html#wp1046058 This is with ASDM version 6.2

Namit

hi Jason,

i think this will be helpful, apart from what namit has said about how to block them i think you should see this, looks interesting

"The Blizzard Downloader requires that TCP ports 3724 and  6112 be forwarded. It can also benefit from having ports 6881 through  6999 forwarded."

i found this on some world of warcraft forum wherein people are discussing on which ports to open to allow it, and look at the 2 side of coin, you are going to look at it to block your users : )

http://forums.worldofwarcraft.com/thread.html?topicId=2215453407&sid=1

Hi,

Jeetu thanks for the information. That is very useful. However the port 3724 is the one that is used for hosting the game. Rest of the ports are just used for downloading the patches by the Blizzard Support. I think just blocking 3724 should be enough. However as per documentation on Blizzard Support Site they have mentioned the following ports to be opened in order to run this. 3724, 6112, 6113, 6114 and 4000. http://us.blizzard.com/support/article.xml?locale=en_US&articleId=21077

I think we can start by blocking 3724 and of it does not help we can move on to blocking other ports as well. Moreover Jason please send the running config or the screenshot of the ACL you are configuring using the ASDM,

Regards,

Namit

Thanks for the help thus far.

Here is the ACL:

access-list inside_access_in extended deny udp any eq 3724 any

access-list inside_access_in extended deny tcp any object-group WoW_TCP any

access-list inside_access_in extended permit ip any any

... and the network object group that the ACL refers to:

object-group service WoW_TCP tcp

port-object range 1119 1119

port-object range 3724 3724

port-object range 4000 4000

port-object range 6112 6114

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: