Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocking of MSN and Yahoo Messanger Services

I have a 506E PIX Firewall with 6.3(4) version. I want to block MSN and Yahoo messanger services for LAN users. For this I applied an access list at inside interface ,

access-list 111 deny tcp host 10.0.0.x any eq 1863 ( MSN port )

and for Yahoo 5050.

access-list 111 permit ip host 10.0.0.x any ( Permit all other traffic for this host )

After that access list hit counts shows that condition is matched but user is still able connect MSN & Yahoo.

Regards,

Mujeeb

22 REPLIES
Gold

Re: Blocking of MSN and Yahoo Messanger Services

There is problem, that if those messangers are not able to use their default ports they move to tcp 80 and this is opened for most networks

So you need block messangers (destination) servers

1) object groups with ports for MSN:

object-group service MSN_Messenger_tcp tcp

description MSN Messenger tries to use these ports

port-object eq www

port-object eq 1863

port-object eq 7001

2) object group for MSN servers

object-group network MSN_Messenger_hosts

description hosts that MSN Messenger lives on

network-object 65.54.195.0 255.255.255.0

network-object 65.54.225.0 255.255.255.0

network-object 65.54.226.0 255.255.254.0

network-object 65.54.228.0 255.255.254.0

network-object host 65.54.240.61

network-object host 65.54.240.62

network-object 207.46.104.0 255.255.252.0

network-object 207.46.108.0 255.255.255.0

network-object 207.68.171.0 255.255.255.0

3)Accees-list block microsoft messenger with those object group

access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

4) Block Yahoo instant messenger servers

access-list acl-inside deny ip any host 64.58.78.228

access-list acl-inside deny ip any host 66.163.172.50

access-list acl-inside deny ip any host 66.163.172.51

access-list acl-inside deny ip any host 216.136.232.154

access-list acl-inside deny ip any host 64.58.78.227

NOTE:

Maybe servers list is not up to date so if messangers still works try to check firewall for logs where you can find some new servers

M.

Hope that helps, rate if it does

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Hi

I have been facing same kinds of msn block problem.

Put configurations as per your mentioned.But i cannot able to browse any site.

access-list outbound permit icmp any any

access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group

MSN_Messenger_tcp

access-list outbound permit tcp any eq www any

access-list outbound permit tcp any eq smtp any

access-list outbound permit tcp any eq pop3 any

access-list outbound permit tcp any eq ftp any

access-list outbound permit tcp any eq pptp any

access-list outbound permit tcp any eq 1701 any

access-list outbound permit tcp any eq 1247 any

access-list outbound permit udp any eq 1723 any

access-list outbound permit udp any eq 1247 any

Whenever put the ACL:

access-list outbound permit ip any any

Then i can browse and also able to connect MSN service

Pls provide your suggestion

Re: Blocking of MSN and Yahoo Messanger Services

Hello

Looks like your missing DNS for your outbound ACL and your ACL looks backwards. Did you try to convert a conduit statement. ACLs are formatted as follows

access-list (name of acl) (permit or deny) (protocol) (source ip or network) (source port optional) (destination ip) (destination port optional)

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq smtp

access-list outbound permit tcp any any eq pop3

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq pptp

access-list outbound permit tcp any any eq 1701

access-list outbound permit tcp any any eq 1247

access-list outbound permit udp any any eq 1723

access-list outbound permit udp any any eq 1247

access-list outbound permit udp any any eq 53

Hope this helps.

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Patrick

Thanks for your suggestion

I have put the configuration what you have mentioned.

Now i can able to browse and also block the MSN service.

But one problem is that could not access the mail of Yahoo, hotmail,gmail after put the user name and password.

Log on screen was displayed.

Pls provide your valuable suggestion

Thanks

Reza

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Hi guys,

I have had better success with using ordinary router and nbar. nbar recognises this application because it goes beyond the network layer. you can use MQC (modular quality of service command-line) to match and drop these traffic.

Re: Blocking of MSN and Yahoo Messanger Services

That is true its a bit more not simple but effective with that approch. Although with some of the ASA enhancements its suppose to look deeper and be able block on messenger protocols.

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Can you pls provide the commands of MQC for pix 515e for blocking MSN service

Thanks

Reza

Re: Blocking of MSN and Yahoo Messanger Services

MQC doesn't work on a pix its Modular

QOS Commands for a router.

As for your question about haveing problems with connecting out with the access-list I didn't really see anything in your config unless some of the msn messenger servers overlap with the hotmail servers.

Are you being blocked completly to the hotmail sites or does it partially load?

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

I just want to block only MSN messenger for some internal user

Thanks

Reza

Re: Blocking of MSN and Yahoo Messanger Services

Reza,

Here is what you can do add a deny any any at the end of you access-list setup a logging server with Kiwi Syslog. Send your sylog messages to your server from there it should show you what is being blocked going to MSN. Replace x.x.x.x with the ip of your logging server.

logging on

logging monitor debugging

logging host inside x.x.x.x

and I can't remember if you need this if you logging to the syslog to monitor you acl.

debug access-list all

I'm travelling so I don't have access to my lab equipment.

Hope this helps

Patrick

Re: Blocking of MSN and Yahoo Messanger Services

Reza,

I was thinking another thing you could do is open your connection to hotmail and while doing it issue the command "show conn" to see what ports your using at that time. Of course you'll need that permit any any at that point to make sure it's allowing the connections to be opened.

Patrick

Re: Blocking of MSN and Yahoo Messanger Services

You could also set your PIX syslog server to send traps every time your computer connected out on the internet.

access-list outbound permit icmp any any

access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq smtp

access-list outbound permit tcp any any eq pop3

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq pptp

access-list outbound permit tcp any any eq 1701

access-list outbound permit tcp any any eq 1247

access-list outbound permit udp any any eq 1723

access-list outbound permit udp any any eq 1247

access-list outbound permit udp any any eq domain

access-list outbound permit tcp any any eq domain

access-list outboung permit ip z.z.z.z any log informational interval 120 !substitue z.z.z.z with the ip address of your client going to hotmail.

logging host inside x.x.x.x !put your logging server in here

logging trap info

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Patrick

Thanks for your suggestion.

configured the syslog which shown the port no. is 80 for yahoo mail.

I can check mail and MSN service whenever put permit ip host x.x.x.x any

Otherwise not

Another suggestion pls

Thanks

Reza

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Hi

Still i have been facing the following problem from pix515E:

1. Can not able to check mail of yahoo, hotmai, gmail

but logon screen is displayed.

Whenever put " access-list outbound permit ip any any" then everything is open including MSN

So want to block Only MSN

Any one help pls

Thanks

Reza

following is the configurations:

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol domain 53

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1701

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group service MSN_Messenger_tcp tcp

description MSN Messenger tries to use these ports

port-object eq www

port-object eq 1863

port-object eq 7001

object-group network MSN_Messenger_hosts

description hosts that MSN Messenger lives on

network-object 65.54.195.0 255.255.255.0

network-object 65.54.225.0 255.255.255.0

network-object 65.54.226.0 255.255.254.0

network-object 65.54.228.0 255.255.254.0

network-object host 65.54.240.61

network-object host 65.54.240.62

network-object 207.46.104.0 255.255.252.0

network-object 207.46.108.0 255.255.255.0

network-object 207.68.171.0 255.255.255.0

access-list 102 permit icmp any any

access-list 102 permit tcp any host 172.16.3.10 eq pptp

access-list 102 permit udp any host 172.16.3.10 eq isakmp

access-list 102 permit udp any host 172.16.3.10 eq 1701

access-list 102 permit udp any host 172.16.3.10 eq 1723

access-list 102 permit tcp any host 172.16.3.10 eq ftp

access-list 102 permit tcp any host 172.16.3.10 eq www

access-list 102 permit gre any host 172.16.3.10

access-list 102 permit udp any host 172.16.3.10 eq 1247

access-list outbound permit icmp any any

access-list outbound deny tcp any object-group MSN_Messenger_hosts object-group

MSN_Messenger_tcp

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any eq smtp

access-list outbound permit tcp any any eq pop3

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq pptp

access-list outbound permit tcp any any eq 1701

access-list outbound permit tcp any any eq 1247

access-list outbound permit udp any any eq 1723

access-list outbound permit udp any any eq 1247

access-list outbound permit udp any any eq domain

access-list outbound permit tcp any any eq domain

pager lines 24

logging on

logging timestamp

logging standby

logging monitor notifications

logging buffered debugging

logging trap debugging

logging facility 23

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 172.16.3.10 255.255.255.0

ip address inside 172.20.1.65 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 102 in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.3.1 1

Re: Blocking of MSN and Yahoo Messanger Services

Reza,

I just realized that your missing 443 for the secure part of hotmail sign in. add the following line to the end of your outbound acl.

access-list outbound permit tcp any any eq 443

I just tested this on my lab 501 and it works with your exact config above with a few changes for my public ips.

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Hi,

Could you please share me, how you block msn and yahoo chat using NBAR ?. When I have a look in my router I didn't find any match for this protocols.

Thanks

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Hi Patrik

I put this acl

"access-list outbound permit tcp any any eq https"

but able to logon both yahoo and MSN

did not restrict the MSN

My one is Pix 515E version 6.3(1).

Pls provide your another suggestion

Thanks

Reza

Re: Blocking of MSN and Yahoo Messanger Services

Reza,

Add the network 207.46.1.0/24 to your Messenger hosts.

object-group network MSN_Messenger_hosts

network-object 207.46.1.0 255.255.255.0

Once you've added that line it should be blocking msn messenger. If your still haveing problems with that start msn messenger on your computer and type in netstat in a command prompt. If msn messenger connects it should show something like:

TCP myhost:3066 baym-gw1.msgr.hotmail.com:http ESTABLISHED

TCP myhost:3082 baym-gw9.msgr.hotmail.com:http ESTABLISHED

Find out what the baym-gw"X".msgr.hotmail.com resolves to and add that network to your mesn messenger hosts object group.

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

all this is great for MSN messenger,

anybody got a clue on blocking the Yahoo messenger,, i did my MSN messenger on ISA firewall, real easy and straighfoward since the blocking is based on the Messenger using headers...

could not find anything with regard to yahoo messenger..

cheers

Vic

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Patrick

Thanks again for your co-operation.

Put network-object 65.54.0.0 255.255.0.0

Then blocked MSN and also able to connect mail of yahoo, gmail

But one problem could not browse hotmail

Another comments pls

Thanks

Reza

Re: Blocking of MSN and Yahoo Messanger Services

Hmmm,

Well 65.54.0.0 255.255.0.0 is a bit large could be a lot of servers that your bocking in this range.

You really just need to do a netstat while connected to msn messenger to see where your connecting to for messenger servers on your local PC.

Add those servers or server networks into your Messenger hosts and that should take care of it.

Patrick

New Member

Re: Blocking of MSN and Yahoo Messanger Services

Hi Paprick

Put "network-object 65.54.239.0 255.255.255.0"

Blocked MSN and able to connect hotmail

Thanks very much for your extra-ordinary co-coperation

Thanks

Reza

205
Views
14
Helpful
22
Replies
CreatePlease login to create content