Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
7
Replies

Modular Policy Framework

anishpeter
Level 1
Level 1

‎02-19-2008 09:50 AM - edited ‎03-11-2019 05:04 AM

Hi.. All

Pls expain how can I block P2P Applications such as emule,Kazza etc with Modular Policy Framework?

Also to block certain file types to be uploaded to internal FTP server?

Labels:
0 Helpful
7 Replies 7

abinjola
Cisco Employee
Cisco Employee

‎02-19-2008 10:08 AM

You must be knowing ASA/Pix(version7) has default classes for this type of traffic

Security-525(config-pmap-c)# sh run all class-map type inspect http

!

class-map type inspect http match-all _default_gator

match request header user-agent regex _default_gator

class-map type inspect http match-all default_kazaa

match none

class-map type inspect http match-all _default_msn-messenger

match response header content-type regex _default_msn-messenger

class-map type inspect http match-all _default_yahoo-messenger

match request body regex _default_yahoo-messenger

class-map type inspect http match-all _default_windows-media-player-tunnel

match request header user-agent regex _default_windows-media-player-tunnel

class-map type inspect http match-all _default_gnu-http-tunnel

match request args regex _default_gnu-http-tunnel_arg

match request uri regex _default_gnu-http-tunnel_uri

class-map type inspect http match-all _default_firethru-tunnel

match request header host regex _default_firethru-tunnel_1

match request uri regex _default_firethru-tunnel_2

class-map type inspect http match-all _default_aim-messenger

match request header host regex _default_aim-messenger

class-map type inspect http match-all _default_http-tunnel

match request uri regex _default_http-tunnel

class-map type inspect http match-all _default_kazaa

match response header regex _default_x-kazaa-network count gt 0

class-map type inspect http match-all _default_shoutcast-tunneling-protocol

match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol

class-map type inspect http match-all _default_GoToMyPC-tunnel

match request args regex _default_GoToMyPC-tunnel

match request uri regex _default_GoToMyPC-tunnel_2

class-map type inspect http match-all _default_httport-tunnel

match request header host regex _default_httport-tunnel

!

So you use the following commands to block for example Kaza

policy-map type inspect http filterp2p

Security-525(config-pmap-c)# policy-map global_policy

Security-525(config-pmap)# policy-map type inspect http filterp2p

Security-525(config-pmap)# class default_kazaa

Security-525(config-pmap-c)# drop-connection log

see if this helps !

0 Helpful

cisco24x7
Level 6
Level 6
In response to abinjola

‎02-19-2008 10:37 AM

I've been struggling with the following for

the past year without any solutions:

1- I want to block users from using

AOL Instant messenging. AOL can masquerade any

ports. I don't want to do a nslookup and

block the AOL destination. With Checkpoint,

this was not an issue via SmartDefense. How

can I do this with pix or asa devices?

2- How do I block nachi worm with Pix/ASA,

like this below:

access-list 199 permit icmp any any echo

access-list 199 permit icmp any any echo-reply

route-map nachi-worm permit 10

match ip address 199

match length 92 92

set interface Null0

interface F0/0

no ip unreachables

ip route-cache policy

ip policy route-map nachi-worm

I can do this with Checkpoint in 20 seconds.

With Pix, I don't know how.

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to cisco24x7

‎02-19-2008 10:52 AM

GUIs are always a 20 seconds game..

0 Helpful

cisco24x7
Level 6
Level 6
In response to abinjola

‎02-19-2008 10:56 AM

so what are the solutions for pix/asa?

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to cisco24x7

‎02-19-2008 11:10 AM

Hello Anish, please try my sample config that I posted for you and let me know if there is anything else I can help you with.

0 Helpful

anishpeter
Level 1
Level 1
In response to abinjola

‎02-19-2008 06:18 PM

Hi.. ASHISH

Thanks Lot. I havent noticed the above default class maps. I will try it.

I also set my FTP policy to allow only certain file types. Can I use CSC module to inspect inbounf FTP files? If my ASA has AIP module populated and no room for CSC how can i use an antivirus program to inspect inbound FTP traffic?

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to anishpeter

‎02-20-2008 09:16 PM

hey Anish,,well if you have AIP/SSM module or CSC module then you actually a full fledged IPS mechanism and you can certainly monitor/block/reset inbound/outbound FTP files or ftp commands as well

You just need to configure AIP-SSM and turn on all the default signatures

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card