Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I Block IM File Transfer

I'm trying to block MSN and Yahoo! messenger file transfers, while still allowing chat and other services. The problem I get is when I try to apply the inspect rules in my policy I get an error that I can't have multiple inspect rules



ASA01(config)# policy-map MyInsidePolicy

ASA01(config-pmap)# class ALL

ASA01(config-pmap-c)# inspect http WebMSN

ASA01(config-pmap-c)# inspect im BlockMSN

ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.



This is my config so far:


class-map ALL

match any

class-map inspection_default

match default-inspection-traffic



policy-map type inspect http WebMSN


protocol-violation action drop-connection

class _default_msn-messenger

drop-connection log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http

policy-map type inspect im BlockMSN

description To Block MSN


match service file-transfer

drop-connection log

policy-map type inspect im BlockYahoo


match service file-transfer

drop-connection log

policy-map MyInsidePolicy

class ALL

inspect http WebMSN


service-policy global_policy global


I also get this:


ASA01(config-pmap-c)# class-map ALL

ASA01(config-cmap)# match default-inspection-traffic

ERROR: This match command can only coexist with 'match access-list'



What is the proper way to accomplish this?


Re: How do I Block IM File Transfer

I think you should create a seperate class for all the protocols that you want to inspect and then group all these classes under a policy-map and then apply this to the interface using service-policy command. You may also try adding the "match default-inspection-traffic" command to the associate class-map. After doing this, you will be allowed to add the additional inspect statements to the same policy-map, however this is not how the config should be done and you may get erors at some later stage. I think it will be better to use Websense server to block the MSN or Yahoo file transfer.