Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1873
Views
0
Helpful
11
Replies

Can I filter Skype with ASA?

fedecotofaja
Level 1
Level 1

‎02-23-2009 09:35 AM - edited ‎03-11-2019 07:55 AM

Hi All,

Can I block Skype using my ASA?

If so, how can I do it?

Thank you all!

Labels:
0 Helpful
11 Replies 11

Yudong Wu
Level 7
Level 7

‎02-23-2009 09:58 AM

As far as I know, Skype encrypts the traffic and also dynamically allocates port. ASA could not to block that. In other word, as long as the user has installed Skype, you don't have much to do to block it's traffic. But, in IPS module, there is signature which can identify if there is Skype client in your network to contact with Skype server (download Skype server setting each time). So, you can find who are using it.

0 Helpful

fedecotofaja
Level 1
Level 1
In response to Yudong Wu

‎02-23-2009 10:03 AM

Hi,

Thank you for your response.

I've seen some tips on how to block Skype using IOS... for example this link:

http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/

I imagine we can do something similar with the ASA?

Thank you!

0 Helpful

Yudong Wu
Level 7
Level 7
In response to fedecotofaja

‎02-23-2009 10:24 AM

Yeah, that's a feature on IOS. Not sure if ASA supports it.

0 Helpful

fedecotofaja
Level 1
Level 1
In response to Yudong Wu

‎02-23-2009 11:58 AM

Thank you kwu2!

Do you know if anyone has tried using regex with Policy Maps? Maybe doing an advanced match, knowing which part of the packet is used by NBAR to filter the traffic?

I have a situation that I need to know if anybody has tested this succesfully or doing something else with the ASA like the IOS can...

Thank you all!!!

0 Helpful

Yudong Wu
Level 7
Level 7
In response to fedecotofaja

‎02-23-2009 12:15 PM

sorry, to my knowledge, the answer is NO.

0 Helpful

fedecotofaja
Level 1
Level 1
In response to Yudong Wu

‎02-23-2009 12:16 PM

Thank you!!

0 Helpful

fedecotofaja
Level 1
Level 1
In response to Yudong Wu

‎02-23-2009 01:44 PM

It just seems odd to me that we can block Skype using IOS but not using an ASA....

I'll see other solutions then...

Thank you!

0 Helpful

zenon_electronics
Level 1
Level 1
In response to fedecotofaja

‎02-24-2009 06:17 AM

Hi, I've spend about 2 weeks hardworking to block skype. I'm using Cisco IOS firewall and i'm not similar with ASA.

I'll tell you how it works for IOS.

The way of how to block skype on the link you have seen work only for old versions but no for skype 3.6 and latest.

First you have to block all ports except these you realy need.

I guess you will need to permit 80 and 443 port. Skype will then connect over these ports. In Cisco IOS there is deep packet inspection of HTTP traffic.

That way you deny port-missue and protocol-violation.

When you do that you deny skype over http, and it will connect only over https. When Skype connects over https, it sends server hello packets with lenght 112 bytes. You just have to block all packets with that length and you are done.

See the attachment on the post.

I hope i helped.

Preview file
1 KB
0 Helpful

fedecotofaja
Level 1
Level 1
In response to zenon_electronics

‎02-24-2009 06:26 AM

Hey!

This is very cool!

Can we achieve the same thing with the ASA?

Thank you!

0 Helpful

zenon_electronics
Level 1
Level 1
In response to fedecotofaja

‎02-24-2009 06:31 AM

Sorry I don't know anything about ASA

0 Helpful

fedecotofaja
Level 1
Level 1
In response to zenon_electronics

‎02-24-2009 06:40 AM

That's ok...

Thank you very much for your help on how to block Skype using IOS...

I imagine that if we can do it with IOS, we should be able to do it with the ASA also...

I am posting this question again... just because maybe somebody else have any thoughts...

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card