Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Allow some users to access MSN

Hello everybody,

I am a bit new to cisco routers but not to routers in general (i used to work with zyxel, fortigate and dlink). My question is about an Cisco 857 which i manage by SDM 2.4 interface.

It is about firewall. In tab "aplication security", i see that i can block MSN. But if i check this box, it will block every pcs on the lan to access MSN !!

And guess what ? This is not what i want: I just want 3 pcs (i have their ip adress) to access MSN and block the others pcs on the lan.

How can i do that ?

ps: remain my router is cisco 857 !

5 REPLIES

Re: Allow some users to access MSN

I have had to do this - recently, what makes it difficult is that the new version of MSN uses bits of the .bet framework - and the TCP/UCP ports are no longer static. MSN does try to use the legacy port numbers - but if they are blocked then MSN will use HTTP, :o(

What I have done is written an ACL to block an connections to the Microsoft Range of IP addressing:-

access-list 101 extended permit ip host z.z.z.z

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.52.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.53.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.54.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.55.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 207.46.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 207.68.0.0 255.255.0.0

access-list 101 extended deny tcp x.x.x.x y.y.y.y any eq 1863

access-list 101 extended deny tcp x.x.x.x y.y.y.y any range 6681 6901

access-list 101 extended permit ip any any

z.z.z.z = the host you want to allow

x.x.x.x y.y.y.y = the IP subnet or subnets you want to block from accessing MSN.

NOTE:- This will also block the I.T people from the Microsoft support websites for d/l patches etc. So allow I.T and block everybody else.

HTH.

Re: Allow some users to access MSN

You might want to examine (via CLI), and post the commands added by SDM when you block MSN.

That might spark some ideas in terms of how to "modify" their approach to meeting your needs.

If you do decide to pursue Andrew's approach, keep in mind that you can use a single Access Control Entry (ACE) to represent the following block of addresses:

65.52.0.0 255.255.0.0

65.53.0.0 255.255.0.0

65.54.0.0 255.255.0.0

65.55.0.0 255.255.0.0

... can be represented as:

65.52.0.0 255.252.0.0

Note the different mask.

New Member

Re: Allow some users to access MSN

one of the issues i've found when using CBAC with msn is that new versions seem to be blocked regardless of what you set because the router can't understand the new protocol format of MSN.

New Member

Re: Allow some users to access MSN

First,

Thanks you evrybody for giving me these precious and very sharp answers !!

I will try these settings. As I can see, it is hard to block msn as this application uses standard ports too (port 80), that their's server adress changes most often etc ....

Nevertheless, I will try these settings and let you know about this.

For information, I am configuring an ISA server for another customer and it seems that it is easier to block msn as ISA is plug with active directory so we can block at user level !!!!!! I have to see that .

Again, thanks very much, we get in touch !!!

Re: Allow some users to access MSN

You can use the Application Firewall (APPFW) component of the HTTP Inspection Engine to mitigate port 80 tunneling (IM, P2P, etc.).

Take a look at:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_fwapc.pdf

208
Views
0
Helpful
5
Replies
CreatePlease to create content