I am trying to allow skype communication through ASA firewall. In current scenario I need to allow all TCP ports or TCP port 80 to allow skype but that gives users access to every URL on Internet. So I want to allow skype application only without giving full access to the users.
Please suggest if anyone is aware of the solution.
i have not gone through the link, but from my prev experience i think the traffic is encrypted (i think ssl 443) so i am not sure if you will be able to achive wht u need
in any case, most of such applications end up using random dynamic ports which is why firewalls have a challenge blocking IM and torrent traffic, in your case i guess u r blocking everything and want to allow only few, but still the problem is the same.
To work correctly, Skype requires unrestricted outgoing TCP access to:
All destination ports above 1024 (recommended)
Ports 80 and 443
When you install Skype, a port above 1024 is chosen at random as the port for incoming connections. You can configure Skype to use a different port for incoming connections if you wish, but if you do you must open the alternative port manually.
Unfortunately, the PIX/ASA is not able to block skype traffic. Skype has the capability to negotiate dynamic ports and to use encrypted traffic. With encrypted traffic, it is virtually impossible to detect it as there are no patterns to look for.
You could eventually use a Cisco Intrusion Prevention System (IPS). It has some signatures that are able to detect a Windows Skype Client that connects to the Skype server to synchronize its version. This is usually done when the client is initiated the connection. When the sensor picks up the initial Skype connection, you can be able to find the person who use the service, and block all connections initiated from their IP address.
Frankly, I don’t know any company that encourages their staffs to install skype application in their laptop, for network security reasons. I know I wouldn’t. However, if you still insist that staff should be able to chat with peers/friends on the outside of your network, you can;
To get the staff to subscribe to meebo instead. Meebo is an Ajax site that lets you chat online with your friends that use Yahoo Messenger, MSN Messenger, AIM, ICQ and Jabber (including Google Talk). You can log into all the IM networks simultaneously from your browser. If you don't want to create a Meebo account, you can get into one IM network at a time.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...