Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking bittorrent on pix or cisco7603


I want to block bittorrent on pix or cisco7603. I want to block it completely (client can choose dynamic ports),

so i need packet inspection. On pix525 i could not find any bittorrent inspection, on cisco7603 NBAR implementation is very poor

(it almost does not exists).

Is there any way for blocking bittorrent on pix or 7603 ?


New Member

Re: Blocking bittorrent on pix or cisco7603

blocking bittorrent on the firewall could be tricky since it uses port 80 and could also use encryption.

1. Use a web security gateway for your users and stop p2p there.

2. Stop the problem on its source. Use active directory and do not allow users run .exe files.

3. Do not NAT users unless you have to.

4. If you cannot do any of these you can try this :

Cisco Employee

Re: Blocking bittorrent on pix or cisco7603

Bittorrent is a tricky P2P application. It tunnel through HTTP and randomly changes the port. So there isn't a way to use the ASA
a clean way to stop this.

We might be better off using an IPS module or may be use NBAR on a router as well as with a url filtering server. 

However, you can try blocking the ports this application uses, which are ports 6881 to 6999. For instance:

access-list inside_in deny tcp any any range 6881 6999
access-list inside_in permit ip any any
access-group inside_in in interface inside

You can also try using the following configuration to block P2P applications on the firewall.

I hope hit helps.


Cisco Employee

Re: Blocking bittorrent on pix or cisco7603


True ASA can not do deep packet inspections, so BITTorrents could be better blocked using AIP-SSM or CSC-SSM security modules or some third party solution for the same. And again, since they tend to change ports during the session, it maybe difficult to keep track of ports they will be using, so I am not sure if blocking the ports via ACL is going to help us, nevertheless its worth a lab test.