02-23-2009 09:35 AM - edited 03-11-2019 07:55 AM
Hi All,
Can I block Skype using my ASA?
If so, how can I do it?
Thank you all!
02-23-2009 09:58 AM
As far as I know, Skype encrypts the traffic and also dynamically allocates port. ASA could not to block that. In other word, as long as the user has installed Skype, you don't have much to do to block it's traffic. But, in IPS module, there is signature which can identify if there is Skype client in your network to contact with Skype server (download Skype server setting each time). So, you can find who are using it.
02-23-2009 10:03 AM
Hi,
Thank you for your response.
I've seen some tips on how to block Skype using IOS... for example this link:
http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/
I imagine we can do something similar with the ASA?
Thank you!
02-23-2009 10:24 AM
Yeah, that's a feature on IOS. Not sure if ASA supports it.
02-23-2009 11:58 AM
Thank you kwu2!
Do you know if anyone has tried using regex with Policy Maps? Maybe doing an advanced match, knowing which part of the packet is used by NBAR to filter the traffic?
I have a situation that I need to know if anybody has tested this succesfully or doing something else with the ASA like the IOS can...
Thank you all!!!
02-23-2009 12:15 PM
sorry, to my knowledge, the answer is NO.
02-23-2009 12:16 PM
Thank you!!
02-23-2009 01:44 PM
It just seems odd to me that we can block Skype using IOS but not using an ASA....
I'll see other solutions then...
Thank you!
02-24-2009 06:17 AM
Hi, I've spend about 2 weeks hardworking to block skype. I'm using Cisco IOS firewall and i'm not similar with ASA.
I'll tell you how it works for IOS.
The way of how to block skype on the link you have seen work only for old versions but no for skype 3.6 and latest.
First you have to block all ports except these you realy need.
I guess you will need to permit 80 and 443 port. Skype will then connect over these ports. In Cisco IOS there is deep packet inspection of HTTP traffic.
That way you deny port-missue and protocol-violation.
When you do that you deny skype over http, and it will connect only over https. When Skype connects over https, it sends server hello packets with lenght 112 bytes. You just have to block all packets with that length and you are done.
See the attachment on the post.
I hope i helped.
02-24-2009 06:26 AM
Hey!
This is very cool!
Can we achieve the same thing with the ASA?
Thank you!
02-24-2009 06:31 AM
Sorry I don't know anything about ASA
02-24-2009 06:40 AM
That's ok...
Thank you very much for your help on how to block Skype using IOS...
I imagine that if we can do it with IOS, we should be able to do it with the ASA also...
I am posting this question again... just because maybe somebody else have any thoughts...
Thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: