Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
5
Replies

Block msn messenger on pic515e

josky.jara
Level 1
Level 1

‎02-21-2006 06:12 AM - edited ‎03-09-2019 02:00 PM

Hy, I tried to follow this steps

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9579f

but without luck, can someone help me?

thanks

Labels:
0 Helpful
5 Replies 5

fzamora
Cisco Employee
Cisco Employee

‎02-21-2006 08:38 PM

Hi Josky,

Could you please tell me what code are you running on the PIX?

Also, could it be possible that I can take a look at the access-list and access-group commands you have configured.

If the answer is yes please do a show access-list and show access-group and send it or upload it.

Now if you are using code 7.x on the PIX you can use the Application-Aware Inspection Services with the new code

check the configuration example below:

Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

* pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy

pix(config)# service-policy inbound_policy interface outside

This ends up in the config as:

--------------------------------------------------------------------------

class-map http-port

match port tcp eq 80

class-map http-port8080

match port tcp eq 8080

http-map inbound_http

content-length min 100 max 2000 action reset log

content-type-verification match-req-rsp action reset log

max-header-length request 100 action reset log

max-uri-length 100 action reset log

port-misuse p2p action drop

port-misuse im action drop

port-misuse default action allow

policy-map inbound_policy

class http-port

inspect http inbound_http

class http-port8080

inspect http inbound_http

service-policy inbound_policy interface outside

Essentially this will cause the pix to block the IM/P2P applications while still allowing

normal traffic over port 80/8080.

also here is the link to PIX 7.0 and ASA CLI architecture. This should be a comprehensive

reference in configuring your 7.0 PIX at the CLI level.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_book09186a0080485008.html

Franco Zamora

0 Helpful

gregm
Level 1
Level 1
In response to fzamora

‎02-22-2006 08:30 AM

I tried the following and it didn't block MS Messenger... Am I missing something?

http-map inbound_http

content-length min 100 max 2000 action reset log

content-type-verification match-req-rsp action reset log

max-header-length request 100 action reset log

max-uri-length 100 action reset log

port-misuse p2p action drop

port-misuse im action drop

port-misuse default action allow

class-map http_port

match port tcp eq www

class-map http_port8080

match port tcp eq 8080

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

policy-map inbound_policy

class http_port

inspect http inbound_http

!

service-policy global_policy global

service-policy inbound_policy interface outside

Greg MacDonald

0 Helpful

gregm
Level 1
Level 1
In response to gregm

‎02-22-2006 08:49 AM

I was able to use the following to block MS Messenger

but I had to put a range 500-3000, It wouldn't work if I just inspected port 80.

Has anyone successfully blocked IM using the application inspection for port 80?

http-map block-im

strict-http action drop log

port-misuse p2p action drop log

port-misuse im action drop log

port-misuse default action allow

!

class-map http_port

match port tcp range 500 3000

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

class http_port

inspect http block-im

!

service-policy global_policy global

Greg

0 Helpful

avallenilla
Level 1
Level 1
In response to gregm

‎02-22-2006 12:48 PM

Hi guys, this configuration work to me

access-list inside_mpc_in_V1 extended deny tcp object-group Messenger_Permit any eq www

access-list inside_mpc_in_V1 extended permit tcp any any eq www

object-group network Messenger_Permit

description Grupo para usuarios permitidos a entrar en el Messenger

network-object Asist_Rector 255.255.255.255

network-object Astor 255.255.255.255

network-object 10.0.6.52 255.255.255.255

network-object Jesus 255.255.255.255

network-object host Joan

network-object Almirante 255.255.255.255

network-object Capitan 255.255.255.255

network-object Charles 255.255.255.255

network-object Cap_Michel 255.255.255.255

network-object Sec_ext 255.255.255.255

network-object Mata 255.255.255.255

http-map msn

strict-http action allow log

content-type-verification match-req-rsp action allow log

port-misuse default action drop log

class-map global-class

match default-inspection-traffic

class-map inside-class1

match access-list inside_mpc_in_V1

!

!

policy-map global-policy

class global-class

inspect sqlnet

inspect h323 ras

inspect xdmcp

inspect tftp

inspect icmp error

inspect rtsp

inspect sunrpc

inspect mgcp

inspect esmtp

inspect sip

inspect netbios

inspect pptp

inspect ctiqbe

inspect snmp

inspect icmp

inspect rsh

inspect ftp

inspect ils

inspect h323 h225

inspect dns

inspect skinny

policy-map inside-policy

class inside-class1

inspect http msn

!

service-policy global-policy global

service-policy inside-policy interface inside

I´ll hope that work for you.

regards

0 Helpful

josky.jara
Level 1
Level 1
In response to fzamora

‎02-23-2006 01:59 PM

Hello Franco I can send you my configurations details... is all right?

0 Helpful
Customers Also Viewed These Support Documents