Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Block Peer-2-Peer Traffic

Hi All

I got ASA 5510 with base license, can I block all Peer-2-Peer traffic from inside to outside.

ASA Giga 0/0 connected to ISP Router 2811

ASA Giga 0/1 connected to LAN switch 3560

Thanks upfront

cheers

Steve

3 REPLIES
Cisco Employee

Block Peer-2-Peer Traffic

Steve,

In majority of cases you will not be able to block it completly, unless you go for full restriction of outgoing ports/protocols except the ones needed by your users and then you also need to check for integrity of those (HTTP inspection, proxy server for HTTP/HTTS request)

P2P are known to tunnel inside other protocols (HTTP and HTTPS are usually preferred) and mechanisms (toredo, 6to4, etc). Most use some level of encryption and even some IPSes are not able to cope with that - are are able to dectec only parts of traffic. Dynamic ports, upnp, megnet links, and a lot more.

And this is only for bittorrent. :-)

Marcin

Community Member

Block Peer-2-Peer Traffic

Thanks

Any template from Cisco to block the minimum threats

Cisco Employee

Block Peer-2-Peer Traffic

Have a look here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

But don't have too high hopes in this being the solution to all problems.

Seconds thing to consider is threat-detection to a degree it can stop some of the activity by very chatty hosts (which p2p usually are).

If you have an IPS/IDS somehwere you can detect un-encrypted part of P2P and drop it - signaures exist.

IOS has nbar - it can detect quite a lot of common p2p and (via class map/policy-map) drop traffic - again don't have high hopes for this as solution to fix all the problem.

436
Views
0
Helpful
3
Replies
CreatePlease to create content