Allow some users to access MSN

dalarcon64 · ‎05-30-2008

Hello everybody,

I am a bit new to cisco routers but not to routers in general (i used to work with zyxel, fortigate and dlink). My question is about an Cisco 857 which i manage by SDM 2.4 interface.

It is about firewall. In tab "aplication security", i see that i can block MSN. But if i check this box, it will block every pcs on the lan to access MSN !!

And guess what ? This is not what i want: I just want 3 pcs (i have their ip adress) to access MSN and block the others pcs on the lan.

How can i do that ?

ps: remain my router is cisco 857 !

andrew.prince · ‎06-02-2008

I have had to do this - recently, what makes it difficult is that the new version of MSN uses bits of the .bet framework - and the TCP/UCP ports are no longer static. MSN does try to use the legacy port numbers - but if they are blocked then MSN will use HTTP, :o(

What I have done is written an ACL to block an connections to the Microsoft Range of IP addressing:-

access-list 101 extended permit ip host z.z.z.z

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.52.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.53.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.54.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 65.55.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 207.46.0.0 255.255.0.0

access-list 101 extended deny ip x.x.x.x y.y.y.y 207.68.0.0 255.255.0.0

access-list 101 extended deny tcp x.x.x.x y.y.y.y any eq 1863

access-list 101 extended deny tcp x.x.x.x y.y.y.y any range 6681 6901

access-list 101 extended permit ip any any

z.z.z.z = the host you want to allow

x.x.x.x y.y.y.y = the IP subnet or subnets you want to block from accessing MSN.

NOTE:- This will also block the I.T people from the Microsoft support websites for d/l patches etc. So allow I.T and block everybody else.

HTH.

michael.leblanc · ‎06-02-2008

You might want to examine (via CLI), and post the commands added by SDM when you block MSN.

That might spark some ideas in terms of how to "modify" their approach to meeting your needs.

If you do decide to pursue Andrew's approach, keep in mind that you can use a single Access Control Entry (ACE) to represent the following block of addresses:

65.52.0.0 255.255.0.0

65.53.0.0 255.255.0.0

65.54.0.0 255.255.0.0

65.55.0.0 255.255.0.0

... can be represented as:

65.52.0.0 255.252.0.0

Note the different mask.

sirdudesly · ‎06-02-2008

one of the issues i've found when using CBAC with msn is that new versions seem to be blocked regardless of what you set because the router can't understand the new protocol format of MSN.

dalarcon64 · ‎06-05-2008

First,

Thanks you evrybody for giving me these precious and very sharp answers !!

I will try these settings. As I can see, it is hard to block msn as this application uses standard ports too (port 80), that their's server adress changes most often etc ....

Nevertheless, I will try these settings and let you know about this.

For information, I am configuring an ISA server for another customer and it seems that it is easier to block msn as ISA is plug with active directory so we can block at user level !!!!!! I have to see that .

Again, thanks very much, we get in touch !!!

michael.leblanc · ‎06-06-2008

You can use the Application Firewall (APPFW) component of the HTTP Inspection Engine to mitigate port 80 tunneling (IM, P2P, etc.).

Take a look at:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_fwapc.pdf