09-23-2010 08:11 AM - edited 03-11-2019 11:44 AM
Can anyone give me a quick walkthrough on how to set up an access rule to block a TCP port? I need to stop people from playing a game (World of Warcraft) and I need to block 3724. I've tried various combinations of inside outgoping, inside incoming and I just can't seem to get it. I would really appreciate some help with configuring this through the ASDM GUI.
Solved! Go to Solution.
09-23-2010 10:13 AM
Hi,
Jeetu thanks for the information. That is very useful. However the port 3724 is the one that is used for hosting the game. Rest of the ports are just used for downloading the patches by the Blizzard Support. I think just blocking 3724 should be enough. However as per documentation on Blizzard Support Site they have mentioned the following ports to be opened in order to run this. 3724, 6112, 6113, 6114 and 4000. http://us.blizzard.com/support/article.xml?locale=en_US&articleId=21077
I think we can start by blocking 3724 and of it does not help we can move on to blocking other ports as well. Moreover Jason please send the running config or the screenshot of the ACL you are configuring using the ASDM,
Regards,
Namit
09-23-2010 08:27 AM
Jason,
What is the version of the ASDM and the ASA code you are running ?
Namit
09-23-2010 08:40 AM
Sorry, forgot to include that. It is ASDM 5.2(3) on an ASA 5505 7.2(3)
09-23-2010 08:50 AM
Jason
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/aclrules.html hope this helps it is for ASDM 5.2
Regards,
Namit
09-23-2010 08:52 AM
And I'm assuming that I need to block this game on the inside network since you start the client and it connects to the external game servers.
So I was trying to add an outgoing deny rule on the inside network for any source, any destination that has a source port of 3724.
09-23-2010 09:03 AM
Jason,
Have you blocked IP traffc or only UDP or TCP. Please block both UDP and TCP.
Ya that should do the trick deny any connection with source port 3724 with any source IP any destination IP . The ACL will be applied on the inside interface in the inward direction. Also make sure that this should be top of the ACL entries as there might be a permit entry allowing this traffic before it hits the deny rule.
Can you please send the running config or at least the ACL you have applied
Regards,
Namit
09-23-2010 08:30 AM
Jason
I hope this helps http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/aclrules.html#wp1046058 This is with ASDM version 6.2
Namit
09-23-2010 09:46 AM
hi Jason,
i think this will be helpful, apart from what namit has said about how to block them i think you should see this, looks interesting
"The Blizzard Downloader requires that TCP ports 3724 and 6112 be forwarded. It can also benefit from having ports 6881 through 6999 forwarded."
i found this on some world of warcraft forum wherein people are discussing on which ports to open to allow it, and look at the 2 side of coin, you are going to look at it to block your users : )
http://forums.worldofwarcraft.com/thread.html?topicId=2215453407&sid=1
09-23-2010 10:13 AM
Hi,
Jeetu thanks for the information. That is very useful. However the port 3724 is the one that is used for hosting the game. Rest of the ports are just used for downloading the patches by the Blizzard Support. I think just blocking 3724 should be enough. However as per documentation on Blizzard Support Site they have mentioned the following ports to be opened in order to run this. 3724, 6112, 6113, 6114 and 4000. http://us.blizzard.com/support/article.xml?locale=en_US&articleId=21077
I think we can start by blocking 3724 and of it does not help we can move on to blocking other ports as well. Moreover Jason please send the running config or the screenshot of the ACL you are configuring using the ASDM,
Regards,
Namit
09-24-2010 04:57 AM
Thanks for the help thus far.
Here is the ACL:
access-list inside_access_in extended deny udp any eq 3724 any
access-list inside_access_in extended deny tcp any object-group WoW_TCP any
access-list inside_access_in extended permit ip any any
... and the network object group that the ACL refers to:
object-group service WoW_TCP tcp
port-object range 1119 1119
port-object range 3724 3724
port-object range 4000 4000
port-object range 6112 6114
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: