Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can I filter Skype with ASA?

Hi All,

Can I block Skype using my ASA?

If so, how can I do it?

Thank you all!

11 REPLIES

Re: Can I filter Skype with ASA?

As far as I know, Skype encrypts the traffic and also dynamically allocates port. ASA could not to block that. In other word, as long as the user has installed Skype, you don't have much to do to block it's traffic. But, in IPS module, there is signature which can identify if there is Skype client in your network to contact with Skype server (download Skype server setting each time). So, you can find who are using it.

Community Member

Re: Can I filter Skype with ASA?

Hi,

Thank you for your response.

I've seen some tips on how to block Skype using IOS... for example this link:

http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/

I imagine we can do something similar with the ASA?

Thank you!

Re: Can I filter Skype with ASA?

Yeah, that's a feature on IOS. Not sure if ASA supports it.

Community Member

Re: Can I filter Skype with ASA?

Thank you kwu2!

Do you know if anyone has tried using regex with Policy Maps? Maybe doing an advanced match, knowing which part of the packet is used by NBAR to filter the traffic?

I have a situation that I need to know if anybody has tested this succesfully or doing something else with the ASA like the IOS can...

Thank you all!!!

Re: Can I filter Skype with ASA?

sorry, to my knowledge, the answer is NO.

Community Member

Re: Can I filter Skype with ASA?

Thank you!!

Community Member

Re: Can I filter Skype with ASA?

It just seems odd to me that we can block Skype using IOS but not using an ASA....

I'll see other solutions then...

Thank you!

Community Member

Re: Can I filter Skype with ASA?

Hi, I've spend about 2 weeks hardworking to block skype. I'm using Cisco IOS firewall and i'm not similar with ASA.

I'll tell you how it works for IOS.

The way of how to block skype on the link you have seen work only for old versions but no for skype 3.6 and latest.

First you have to block all ports except these you realy need.

I guess you will need to permit 80 and 443 port. Skype will then connect over these ports. In Cisco IOS there is deep packet inspection of HTTP traffic.

That way you deny port-missue and protocol-violation.

When you do that you deny skype over http, and it will connect only over https. When Skype connects over https, it sends server hello packets with lenght 112 bytes. You just have to block all packets with that length and you are done.

See the attachment on the post.

I hope i helped.

Community Member

Re: Can I filter Skype with ASA?

Hey!

This is very cool!

Can we achieve the same thing with the ASA?

Thank you!

Community Member

Re: Can I filter Skype with ASA?

Sorry I don't know anything about ASA

Community Member

Re: Can I filter Skype with ASA?

That's ok...

Thank you very much for your help on how to block Skype using IOS...

I imagine that if we can do it with IOS, we should be able to do it with the ASA also...

I am posting this question again... just because maybe somebody else have any thoughts...

Thank you!

1429
Views
0
Helpful
11
Replies
CreatePlease to create content