From long I have been hearing of that we can block chatting with MSN , Yahoo , and IRC using access list on the PIX. Can any one give me inputs as to how it can be done , with also the ports that are to be blocked for the same.
While it is possible to block the default ports that any of the instant messenging programs use unfortunately they ALL have the ability to search for and use ANY other available port if the default port is unavailable. The other option is to block the IP addresses but, then you run into another roadblock in that AOL for instance has many many many IP addresses dedicated to Instant Messenger making blocking by IP with Access Lists a nightmare at best. It might be possible to block the Instant Messenging programs using IDS but, I have not checked into that as a possible solution. Maybe someone else out there has tried it.
My Name is Zeshan Mansoor Jalali.I am Zaher's Colleague. I agree with what Bob has said in his reply but I can help you in blocking MSN messenger on a network.
If you run the command 'netstat' you will get an output in which you wil see that in order to make an msn messenger session, a source host always initiate a connection to a destination dynamic IP address but on a fixed destination tcp port number 1863.
so if you want t block msn messenger on your internal network possibly LAN you can add probably this command to your access-list for PIX inside interface.
access-list acl_name deny tcp any any eq 1863
For the destination IP address I have mentioned "any" as the MSN uses RR DNS(Round Robin DNS) to load balance among their several chat servers) but the port is same i.e 1863/tcp.
This will work ONLY if the user doesn't go into preferences for MSN messenger and simply change the default port. It is as simple as that. When you have users abusing messenging services you can bet they know how to change the ports to connect.
Well, it's not quite that easy. The MSN messenger servers will only listen to port 1080, and that can't be changed (yet). Yahoo, on the other hand, can be changed (to look like HTTP traffic).
Of course, you're never going to be able to defeat chat services completely. You might be able to reduce the problem, but never totally defeat it. Anybody who's tech-savvy will simply fire up a proxy somewhere on the Internet and use that (I know I would if I felt like breaking company policy).
I tested the following ACL's and could no longer connect to MSN or Yahoo Instant Messenger Services. I also, could not find any reference in the MSN Instant Messenger Application version 3.6.0039 to change the default port value used.
Of course you will have to maintain the ACL's to making sure Yahoo or Microsoft don't change their applications or add servers.
!!! The following ACL used to Block MSN Messenger
access-list acl_out deny tcp any any eq 1863
!!! The following ACL's used to Block Yahoo Messenger
access-list acl_out deny tcp any host 22.214.171.124
access-list acl_out deny tcp any host 126.96.36.199
access-list acl_out deny tcp any host 188.8.131.52
I tried the same way creating access-list blocking 1863 for msn and for the yahoo but it did not work. From my machine when i type in netstat it is showing port 1863 established though i denied the port both by access-list and by conduit. Should i attach these ACL commands to Access-group interface. Any suggestions for this porblem
You can block those chat services but it takes a long time to find those ip addresses. You can create access-list and access-group like
access-list ID action protocol source_address port destination_address port
and attaching access-group for the same like
access-group id action(permit/deny) in interface inside.
First you can block the port 5050 which the yahoo uses default and 1863 which the msn uses. But both these chat has serveral server and you have to manually check. You can install the messenger on your machine and connect. once you are connected go to the command prompt and type netstat and you will get the dns name of the messenger services. you can ping and get the ip address and block and again repeat the same. This is the way i have blocked the entire Yahoo messenger. I will check if i could get better option and it will be very helpfull for all of us if some one comes with better option.
make sure to give a permit statement like
access-list id permit ip any any
at the end of your deny statements to allow other traffic to flow.
We have another discussion going on right there concerning this issue, I have attacked it a completely different way, denying every port from the start and then allowing ports that are actually needed by users. I have also allowed myself access to Kazaa. (just to see if it would work ;p ) MSN does not work at all right now - no matter how many ports it tries to go out on. Same for yahoo,,, for now.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :