Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA bit torrent blocking

Hi, does anyone why it is nigh impossible to block bit torrent with the ASA firewall. We have a ASA 5520 running 8.4 IOS.

But (correct me if im wrong) the router based IOS firewall allows this functionality?? Whether CBAC, class maps etc.

2 REPLIES
Cisco Employee

ASA bit torrent blocking

bitorrent and many others P2P programs are quite smart about not getting blocked using many mechanisms:

- random source and destination ports

- payload encryption

- tunneling/piggybacking on top of HTTP.

- UPNP usage.

It's almost impossible to completly block all P2P activity save for deep packet inspection and looking for patterns.

There are almost no reasoanly effective STATIC mechanisms to block p2p (IPS devices will have some luck with signatures, but may not be able to match patterns if encryption is used).

The most successful block I saw was default deny policy for LAN users + proxying of HTTP/HTTPS :-)

TL;DR Bittorrent is using lots of different tricks to avoid detection. You may be able to block some activity with static methods, but it's trickier to do it completly.

Community Member

ASA bit torrent blocking

I think I was able to effectively block using Service Policy

1322
Views
0
Helpful
2
Replies
CreatePlease to create content