Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

How to allow Skype through ASA?

Hello Guys,

I am trying to allow skype communication through ASA firewall. In current scenario I need to allow all TCP ports or TCP port 80 to allow skype but that gives users access to every URL on Internet. So I want to allow skype application only without giving full access to the users.

Please suggest if anyone is aware of the solution.

Thanks,

Akshay

  • Firewalling
7 REPLIES
Bronze

Re: How to allow Skype through ASA?

Hi Akshay,

Skype is a chat application and is not http based.

I think you will find this information helpful.

http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Cheers,


Avinash.

Cisco Employee

Re: How to allow Skype through ASA?

i have not gone through the link, but from my prev experience i think the traffic is encrypted (i think ssl 443) so i am not sure if you will be able to achive wht u need

in any case, most of such applications end up using random dynamic ports which is why firewalls have a challenge blocking IM and torrent traffic, in your case i guess u r blocking everything and want to allow only few, but still the problem is the same.

Bronze

Re: How to allow Skype through ASA?

It specifies more or less the same thing.

Allow all outgoing TCP ports is what is suggested by Skype.

Cheers,


Nash.

New Member

Re: How to allow Skype through ASA?

Yes indeed, skype suggests to open all ports.

I am surprised to see Cisco do not have any solution for blocking/allowing skype specifically. I thought it is possible through the use of modular policy framework just as blocking yahoo/im.

Cisco Employee

Re: How to allow Skype through ASA?

The ASA doesn't have an inspection for Skype.

On the other hand, routers can use NBAR or FPM to block Skype.

PK

New Member

How to allow Skype through ASA?

Hi,

To work correctly, Skype requires unrestricted outgoing TCP access to:

  • All destination ports above 1024 (recommended)

    or


  • Ports 80 and 443

When you install Skype, a port above 1024 is chosen at random as the port for incoming connections. You can configure Skype to use a different port for incoming connections if you wish, but if you do you must open the alternative port manually.

Regards,

Tony

Regards, Tony http://yadhutony.blogspot.com

Re: How to allow Skype through ASA?

Hi Bro

Unfortunately, the PIX/ASA is not able to block skype traffic. Skype has the capability to negotiate dynamic ports and to use encrypted traffic. With encrypted traffic, it is virtually impossible to detect it as there are no patterns to look for.

You could eventually use a Cisco Intrusion Prevention System (IPS). It has some signatures that are able to detect a Windows Skype Client that connects to the Skype server to synchronize its version. This is usually done when the client is initiated the connection. When the sensor picks up the initial Skype connection, you can be able to find the person who use the service, and block all connections initiated from their IP address.

Frankly, I don’t know any company that encourages their staffs to install skype application in their laptop, for network security reasons. I know I wouldn’t. However, if you still insist that staff should be able to chat with peers/friends on the outside of your network, you can;

Option A

--------------

To get the staff to subscribe to meebo instead. Meebo is an Ajax site that lets you chat online with your friends that use Yahoo Messenger, MSN Messenger, AIM, ICQ and Jabber (including Google Talk). You can log into all the IM networks simultaneously from your browser. If you don't want to create a Meebo account, you can get into one IM network at a time.

Option B

--------------

To incorporate Cisco's Cut-through Proxy Authentication feature in your ASA FW (no need extra license but you'll need a radius server e.g. Cisco ACS) assuming you only want to allow certain staffs to have the privilege of using Skype, but not everyone in the office. https://supportforums.cisco.com/community/netpro/security/aaa/blog/2011/01/21/limiting-internet-access-based-on-user-profile-using-asa-and-radius

P/S: If you think this comment is useful, please do rate them nicely.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
15588
Views
4
Helpful
7
Replies