Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

BT blocking using ASA

Hi Forum People, greeting.

I have an ASA 5510 with SSM CSC, i only using inside interface connect to LAN, outside interface connect to Border Router.

My motive is would like to block user from inside interface using Bit Torrent related application to download anything from outside.

I manage to use SSM CSC to URL Blocking user using broswer to surf any Torrent related website, so user cannot goto Torrent related website to find the seed.

Then now I testing using vuze BT tracker application, it still can able to penetrate and download from other end peer.

I showing the action list I done before:

First, I using MPF to filter the traffic.

regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"


object-group service BitTorrent-Tracker tcp

description TCP Ports used by Bit Torrent for tracker communication

port-object eq 2710

port-object eq 6969


object-group service Blocked-UDP-Ports udp

description All ports blocked for Bit Torrent UDP DHT

port-object range 10001 65535

port-object range 1024 5554

port-object range 5600 9999


access-list DENY-BT extended deny tcp any any object-group BitTorrent-Tracker log warnings

access-list DENY-BT extended deny udp any any object-group Blocked-UDP-Ports log warnings

access-list DENY-BT extended permit tcp any any

access-list DENY-BT extended permit udp any any

access-list DENY-BT extended permit icmp any any echo


class-map http_traffic

match port tcp eq www


class-map type inspect http match-all bit-torrent-tracker

description Bit Torrent Tracker communication

match request args regex bit-torrent-tracker

match request method get


policy-map type inspect http Drop-P2P

description Drop protocol violations Bit Torrent Tracker traffic


  protocol-violation action drop-connection log

class bit-torrent-tracker

  drop-connection log


policy-map global_policy

class http_traffic

  inspect http Drop-P2P


service-policy global_policy interface inside


access-group DENY-BT out interface inside

attach the snapshot on the ASDM service policy rules

idea needed, i need to kill this vuze to download..

Cisco Employee

Re: BT blocking using ASA


     What do you see if you load wireshark on your computer and then launch vuze? What TCP/UDP/Etc connections are made by the application that are not yet blocked? Make sure you close any other programs so the only network activity is from the VUZE application on your computer. Once you identify what ports/protocols VUZE uses, then you can proceed to ACL them off.

- Magnus

New Member

Re: BT blocking using ASA

Hi Magnus,

Thanks for the advice. as i strengthen the ACL rule, with wider range of UDP port-range from 10000-65535. Traffic is tear down and after certain period, the transaction time out and can't success donwload.

Just have few more thing to  check with you.

Q1. is it possible ASA to scan encrypted traffic?


Cisco Employee

Re: BT blocking using ASA

Unfortunatelly the ASA cannot inspect https or encrypted traffic because we would not be able to look into the messages since they are encrypted.

I hope it makes sense.


CreatePlease to create content