Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can a layer 4 policy block IM traffic in IOS firewall?

Hi experts,

My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:

class-map match-all msn

match protocol imap

match access-group name Permited_MSN

ip access-list extended Permited_MSN

deny ip host 192.168.1.x

permit ip any any

!

policy-map msnmap

class msn

drop

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip pim dense-mode

ip nat inside

ip virtual-reassembly

service-policy input msnmap

Doing a show policy-map, we never see matched packets being dropped.

Cisco1811W#show policy-map interface bvi 1

BVI1

Service-policy input: msnmap

Class-map: msn (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: protocol imap

Match: access-group name Permited_MSN

drop

Class-map: class-default (match-any)

1722583 packets, 929916071 bytes

5 minute offered rate 612000 bps, drop rate 0 bps

Match: any

Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy?

Any comment on this is highly appreciated.

3 REPLIES

Re: Can a layer 4 policy block IM traffic in IOS firewall?

The class map "MSN" will not work, The config is trying to match imap AND the access-list. IMAP has nothing to do with MSN.

Confirmation it is not working is in the policy-map lines:

"0 packets, 0 bytes"

To be honest using QoS (which is the policy map) is not the way to block this type of traffic. MSN has specific ports - depending on the version. The latest versions of MSN or Live Messenger will use HTTP.

HTH>

New Member

Re: Can a layer 4 policy block IM traffic in IOS firewall?

Thank you Andrew!

I figured that this configuration had nothing to do with what the customer wants.

I am now configuring using the zone-based policies.

Configuring an Instant Messenger (IM) Policy

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1566338

However, this seems to have only match-any clause, which does not give the option to tie an acl to take an action only on certain IP traffic.

Is there any other way to accomplish it?

Re: Can a layer 4 policy block IM traffic in IOS firewall?

Mmmmm reading the link - I would kinda agree on that, however I have not had much experiance with the zone based firewall config. I do not have access to a router that supports this feature so cannot really see if multiple matches are available.

Sorry - perhaps another netpro has.

HTH>

139
Views
3
Helpful
3
Replies
CreatePlease to create content