04-01-2006 03:36 AM - edited 03-09-2019 02:29 PM
I have a 506E PIX Firewall with 6.3(4) version. I want to block MSN and Yahoo messanger services for LAN users. For this I applied an access list at inside interface ,
access-list 111 deny tcp host 10.0.0.x any eq 1863 ( MSN port )
and for Yahoo 5050.
access-list 111 permit ip host 10.0.0.x any ( Permit all other traffic for this host )
After that access list hit counts shows that condition is matched but user is still able connect MSN & Yahoo.
Regards,
Mujeeb
04-01-2006 10:07 AM
There is problem, that if those messangers are not able to use their default ports they move to tcp 80 and this is opened for most networks
So you need block messangers (destination) servers
1) object groups with ports for MSN:
object-group service MSN_Messenger_tcp tcp
description MSN Messenger tries to use these ports
port-object eq www
port-object eq 1863
port-object eq 7001
2) object group for MSN servers
object-group network MSN_Messenger_hosts
description hosts that MSN Messenger lives on
network-object 65.54.195.0 255.255.255.0
network-object 65.54.225.0 255.255.255.0
network-object 65.54.226.0 255.255.254.0
network-object 65.54.228.0 255.255.254.0
network-object host 65.54.240.61
network-object host 65.54.240.62
network-object 207.46.104.0 255.255.252.0
network-object 207.46.108.0 255.255.255.0
network-object 207.68.171.0 255.255.255.0
3)Accees-list block microsoft messenger with those object group
access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp
4) Block Yahoo instant messenger servers
access-list acl-inside deny ip any host 64.58.78.228
access-list acl-inside deny ip any host 66.163.172.50
access-list acl-inside deny ip any host 66.163.172.51
access-list acl-inside deny ip any host 216.136.232.154
access-list acl-inside deny ip any host 64.58.78.227
NOTE:
Maybe servers list is not up to date so if messangers still works try to check firewall for logs where you can find some new servers
M.
Hope that helps, rate if it does
04-01-2006 11:22 PM
Hi
I have been facing same kinds of msn block problem.
Put configurations as per your mentioned.But i cannot able to browse any site.
access-list outbound permit icmp any any
access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group
MSN_Messenger_tcp
access-list outbound permit tcp any eq www any
access-list outbound permit tcp any eq smtp any
access-list outbound permit tcp any eq pop3 any
access-list outbound permit tcp any eq ftp any
access-list outbound permit tcp any eq pptp any
access-list outbound permit tcp any eq 1701 any
access-list outbound permit tcp any eq 1247 any
access-list outbound permit udp any eq 1723 any
access-list outbound permit udp any eq 1247 any
Whenever put the ACL:
access-list outbound permit ip any any
Then i can browse and also able to connect MSN service
Pls provide your suggestion
04-01-2006 11:58 PM
Hello
Looks like your missing DNS for your outbound ACL and your ACL looks backwards. Did you try to convert a conduit statement. ACLs are formatted as follows
access-list (name of acl) (permit or deny) (protocol) (source ip or network) (source port optional) (destination ip) (destination port optional)
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq pptp
access-list outbound permit tcp any any eq 1701
access-list outbound permit tcp any any eq 1247
access-list outbound permit udp any any eq 1723
access-list outbound permit udp any any eq 1247
access-list outbound permit udp any any eq 53
Hope this helps.
Patrick
04-02-2006 01:06 AM
Patrick
Thanks for your suggestion
I have put the configuration what you have mentioned.
Now i can able to browse and also block the MSN service.
But one problem is that could not access the mail of Yahoo, hotmail,gmail after put the user name and password.
Log on screen was displayed.
Pls provide your valuable suggestion
Thanks
Reza
04-02-2006 01:03 PM
Hi guys,
I have had better success with using ordinary router and nbar. nbar recognises this application because it goes beyond the network layer. you can use MQC (modular quality of service command-line) to match and drop these traffic.
04-02-2006 01:35 PM
That is true its a bit more not simple but effective with that approch. Although with some of the ASA enhancements its suppose to look deeper and be able block on messenger protocols.
Patrick
04-02-2006 09:04 PM
Can you pls provide the commands of MQC for pix 515e for blocking MSN service
Thanks
Reza
04-03-2006 10:21 PM
MQC doesn't work on a pix its Modular
QOS Commands for a router.
As for your question about haveing problems with connecting out with the access-list I didn't really see anything in your config unless some of the msn messenger servers overlap with the hotmail servers.
Are you being blocked completly to the hotmail sites or does it partially load?
Patrick
04-03-2006 10:51 PM
I just want to block only MSN messenger for some internal user
Thanks
Reza
04-04-2006 09:01 AM
Reza,
Here is what you can do add a deny any any at the end of you access-list setup a logging server with Kiwi Syslog. Send your sylog messages to your server from there it should show you what is being blocked going to MSN. Replace x.x.x.x with the ip of your logging server.
logging on
logging monitor debugging
logging host inside x.x.x.x
and I can't remember if you need this if you logging to the syslog to monitor you acl.
debug access-list all
I'm travelling so I don't have access to my lab equipment.
Hope this helps
Patrick
04-04-2006 09:14 AM
Reza,
I was thinking another thing you could do is open your connection to hotmail and while doing it issue the command "show conn" to see what ports your using at that time. Of course you'll need that permit any any at that point to make sure it's allowing the connections to be opened.
Patrick
04-04-2006 09:44 AM
You could also set your PIX syslog server to send traps every time your computer connected out on the internet.
access-list outbound permit icmp any any
access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq pptp
access-list outbound permit tcp any any eq 1701
access-list outbound permit tcp any any eq 1247
access-list outbound permit udp any any eq 1723
access-list outbound permit udp any any eq 1247
access-list outbound permit udp any any eq domain
access-list outbound permit tcp any any eq domain
access-list outboung permit ip z.z.z.z any log informational interval 120 !substitue z.z.z.z with the ip address of your client going to hotmail.
logging host inside x.x.x.x !put your logging server in here
logging trap info
Patrick
04-05-2006 03:28 AM
Patrick
Thanks for your suggestion.
configured the syslog which shown the port no. is 80 for yahoo mail.
I can check mail and MSN service whenever put permit ip host x.x.x.x any
Otherwise not
Another suggestion pls
Thanks
Reza
04-05-2006 09:43 PM
Hi
Still i have been facing the following problem from pix515E:
1. Can not able to check mail of yahoo, hotmai, gmail
but logon screen is displayed.
Whenever put " access-list outbound permit ip any any" then everything is open including MSN
So want to block Only MSN
Any one help pls
Thanks
Reza
following is the configurations:
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol domain 53
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1701
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group service MSN_Messenger_tcp tcp
description MSN Messenger tries to use these ports
port-object eq www
port-object eq 1863
port-object eq 7001
object-group network MSN_Messenger_hosts
description hosts that MSN Messenger lives on
network-object 65.54.195.0 255.255.255.0
network-object 65.54.225.0 255.255.255.0
network-object 65.54.226.0 255.255.254.0
network-object 65.54.228.0 255.255.254.0
network-object host 65.54.240.61
network-object host 65.54.240.62
network-object 207.46.104.0 255.255.252.0
network-object 207.46.108.0 255.255.255.0
network-object 207.68.171.0 255.255.255.0
access-list 102 permit icmp any any
access-list 102 permit tcp any host 172.16.3.10 eq pptp
access-list 102 permit udp any host 172.16.3.10 eq isakmp
access-list 102 permit udp any host 172.16.3.10 eq 1701
access-list 102 permit udp any host 172.16.3.10 eq 1723
access-list 102 permit tcp any host 172.16.3.10 eq ftp
access-list 102 permit tcp any host 172.16.3.10 eq www
access-list 102 permit gre any host 172.16.3.10
access-list 102 permit udp any host 172.16.3.10 eq 1247
access-list outbound permit icmp any any
access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group
MSN_Messenger_tcp
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq pptp
access-list outbound permit tcp any any eq 1701
access-list outbound permit tcp any any eq 1247
access-list outbound permit udp any any eq 1723
access-list outbound permit udp any any eq 1247
access-list outbound permit udp any any eq domain
access-list outbound permit tcp any any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging monitor notifications
logging buffered debugging
logging trap debugging
logging facility 23
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.16.3.10 255.255.255.0
ip address inside 172.20.1.65 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 102 in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.3.1 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide