Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting access to Peer-to-peer, msn with ASA 5510 ?

hi,

how to access to the ASA's embedded IPS gui page? And how to restrict access to the MSN peer to peer applications? thanks...

9 REPLIES
Cisco Employee

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

Hi,

You can access it via ASDM or IDM.

To use IDM, just point your browser to

https://

Thank you.

Edward

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

If we dont have AIP cant we do this ?

Cisco Employee

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

I'm sorry I'm not sure if I understand your question correctly.

No, if you don't have AIP module, then you can't use ASDM's IPS link nor IDM.

Edward

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

ok here is the question :

I have ASA 5510 and it doesnt have an AIP module. I want to stop users using chat (msn etc.) and peer to peer file sharing (kazaa etc.) programs. can I do it without the AIP module?

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

You can but you're not going to like the answer. Without the benefit of IDS signatures which can recognize any chat/p2p that is NOT ecrypted you can really only choose to block the destination IPs for those clients.

I tried this years ago. I setup a PC and installed MSN, Yahoo, AOL, ICQ, and every other chat client, as well as Limewire, Gnutella, Morpheus... and so on with the P2P clients.

In the end I gave up because most of these clients don't use a static TCP port and some connect to dozens of IPs. I think I was up to 130+ IPs and some things were still getting through.

Signatures are the only way to go if you can't lockdown the workstations and restrict those clients from running. We do that here because even with IDS some of those clients are moving to some form of SSL which makes the IDS not as effective.

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

With the ASA ver 7.2 you can quiet easily stop Messaging in the default service policy, there is a IM tab in the protocol inspection and it will prevent MSN and Yahoo chat.

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

Has anyone tried this successfully?

I can see it working for a while, but if the IM services change their login server or URL information then your going to be constantly rewriting the class maps.

I'm also certain it won't work for SSl encrypted chat as there's no way to inspect encrypted. traffic.

I'd love for this to be as easy as clicking a button but past experience has been otherwise.

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

I Had the same experience with earlier version 7.0 where I had the same results, first attempt MSN blocked but second worked as it shifted its port numbers, but with V7.2 it works well and have it running on various customet sites.

I agree you mught have a problem with encrypted traffic though.

New Member

Re: Restricting access to Peer-to-peer, msn with ASA 5510 ?

Hmmm maybe we'll have to try this.

At least it can handle MSN & YahooIM. We'll have to take other measures for AOL, Meebo, etc. Some of those get squashed by our web filter.

Until we get an SSL proxy solution in the SSL stuff like Google Chat is going to be a challenge.

278
Views
0
Helpful
9
Replies
CreatePlease to create content