Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking Instant Messenger Ports/Protocols

I am going to be getting a PIX 515E Firewall shortly, and one of the things I am looking to do, if possible is block AOL Instant Messanger, Yahoo Messenger, MSN Messenger, ICQ, Kazaa and such. The poblem I'm seeing is that, at least with AIM, the program has a default port, but looks for another open port if the default isn't available. Is there a way to have the PIX block AIM, MSN, Yahoo, or ICQ, or Kazaa based on the protocol, not the port number?

Thanks

Dave

2 REPLIES
New Member

Re: Blocking Instant Messenger Ports/Protocols

I, too, have a PIX 515. It took me works to successfully block AOL IM, Yahoo IM, ICQ, and MSN IM. Below are my deny statements that I use. It works. Blocking yahoo was a bi$ch.... I stopped counting at 90 as to the number of servers that application was connecting to. So, I blocked the entire subnet.

Oh, I also am blocking the port/protocol for the SQL Slammer stuff.

access-list ACLOUT deny udp any any eq 1434

access-list ACLOUT deny ip any host 64.12.161.153

access-list ACLOUT deny ip any host 64.12.161.185

access-list ACLOUT deny ip any host 64.58.77.57

access-list ACLOUT deny ip any host 66.163.169.143

access-list ACLOUT deny ip any host 66.163.169.148

access-list ACLOUT deny ip any host 66.163.169.149

access-list ACLOUT deny ip any host 66.163.169.150

access-list ACLOUT deny ip any host 66.163.169.212

access-list ACLOUT deny ip any host 66.163.169.213

access-list ACLOUT deny ip any host 66.163.172.117

access-list ACLOUT deny ip any host 66.163.175.128

access-list ACLOUT deny ip any host 204.71.200.37

access-list ACLOUT deny ip any host 204.71.201.134

access-list ACLOUT deny ip any host 204.71.201.141

access-list ACLOUT deny ip any host 204.71.200.36

access-list ACLOUT deny ip any host 207.46.104.20

access-list ACLOUT deny ip any 216.136.0.0 255.255.0.0

New Member

Re: Blocking Instant Messenger Ports/Protocols

Dear dkramkowski

Do u apply these access-list on inside interface ??

Do we need to create any access-list for outside interface ??There is implicit

Deny ip any any at outside .

Rgds

215
Views
0
Helpful
2
Replies