Bloking Messengers

kthned · ‎09-22-2005

Hi All

I have a PIX 515E installed in my network having 150 PC. And I want to block MSN and yahoo for all users except for some particular user.Can u tell me how ca i block this thru PIX.

Thanks.

igorj · ‎09-23-2005

Enclosed are most of the ports these IMs are

using and basic ACL example.

For further info, please send what kind

of network scenario are you using, e.g. direct

access for clients and/or NAT for some/all of them

etc.

Ports used for YM and MSN IMs:

Yahoo Messenger

TCP 5000 5001 5100

UDP 5055

MSN

TCP 1863 6891 - 6901

UDP 1863 5190 6901

Basic ACL should look like:

access-list im_block deny tcp any any range 6891 6900

...

access-group im_block in interface EGRESS_IF

/Igor

Patrick Iseli · ‎09-23-2005

MSN Messenger uses a varity of ports and protocols and is very adaptable. Is can ise Proxy settings, http or https and others. It thakes what ever is available !

MSN Messenger ports and IP's:

o 1863 (outbound TCP)

o 5060 for Session Initiation Protocol (SIP) (TCP)

o 1503 for Audio/Video, File Sharing and White Board (TCP)

o 6891-6900 for File Transfer (TCP)

o 3389 for Remote Assistance (TCP)

o UDP: 1503, 3389, 5004-65535

o IP Range 64.4.13.0/24

So on the PIX that would equate to:

example config:

access-list outbound deny tcp any any eq 1863

access-list outbound deny ip any 64.4.13.0 255.255.255.0

access-list outbound permit ip any any

access-group outbound in interface inside

sincerely

Patrick

kthned · ‎09-25-2005

Thanks Patrick for ur valuable reply, I hav a very simple scenario in which there is a Proxy server and a firewall , but i want to block MSN thru PIX. and i have to aloow MSN for some particular poool of IP address. say to 10.0.0.0/27 i.e for 30 users and block MSN and Yahoo for rest of the subnets.

Now wat i think , to block this

1. Make a for 10.0.0.0/27 to lets say 20.0.0.1

=> nat (inside) 1 10.0.0.0 255.255.255.224

=> global (outside) 1 20.0.0.1

2. Make a PAT for 10.0.0.0/8 to lets say 20.0.0.2

=> nat (inside) 2 10.0.0.0 255.0.0.0

=> global (outside) 2 20.0.0.2

3 Now Apply ACL like this

access-list outbound deny tcp host 20.0.0.2 any eq 1863

access-list outbound deny ip host 20.0.0.2 64.4.13.0 255.255.255.0

access-list outbound permit ip any any

access-group outbound in interface inside

Will this block the MSN ,

I want also to block Yahoo messenger

Thanks

Umair

Patrick Iseli · ‎09-26-2005

Umair,

First at all the inside access-list will contain the inside IP Network not the outside one.

Hmm I an not sure if this nat global will work as it is overlapping in the 10.0.0.0 block. Might be better to choose a netblock that is completly diffrent or at least will not overlapp.

example config:

access-list outbound permit tcp PermitedIPBlock 255.x.y.z any eq 1863

access-list outbound permit ip PermitedIPBlock 255.x.y.z 64.4.13.0 255.255.255.0

access-list outbound deny tcp any any eq 1863

access-list outbound deny ip any 64.4.13.0 255.255.255.0

access-list outbound permit ip any any

access-group outbound in interface inside

If you want just to allow the proxy server to leave for http and https you could even be more specific.

Example:

access-list outbound permit tcp host ProxyInsideIP any eq 80

access-list outbound permit tcp host ProxyInsideIP any eq 443

access-list outbound permit tcp host ProxyInsideIP any eq 21

access-list outbound deny tcp any any eq 80

access-list outbound deny tcp any any eq 443

access-list outbound deny tcp any any eq 21

access-list outbound permit tcp Permited-Inside-IPBlock 255.x.y.z any eq 1863

access-list outbound permit ip Permited-Inside-IPBlock 255.x.y.z 64.4.13.0 255.255.255.0

access-list outbound deny tcp any any eq 1863

access-list outbound deny ip any 64.4.13.0 255.255.255.0

.... Add there all other permited ports ....

access-group outbound in interface inside

sincerely

Patrick

kthned · ‎09-26-2005

Thanks for ur valuabe reply.

Yes Patrick u were right, but one thing to note that , In PIX if u do NATTING , the most specific IP address will translate first than less specific translation occurs.

regards

Umair

Patrick Iseli · ‎09-27-2005

Umair,

don't forget to block Yahoo ! And you could use object groups to simplify the access-lists.

object-group service Messenger-UDP udp

port-object eq 5055

object-group service Messenger-TCP tcp

port-object eq 5000

port-object eq 5001

port-object eq 5100

port-object eq 1863

object-group service Proxy-TCP tcp

port-object eq 80

port-object eq 443

port-object eq 21

access-list outbound permit tcp host ProxyInsideIP any object-group Proxy-TCP

access-list outbound deny tcp any any object-group Proxy-TCP

access-list outbound permit tcp Permited-Inside-IPBlock 255.x.y.z any object-group Messenger-TCP

access-list outbound permit udp Permited-Inside-IPBlock 255.x.y.z any object-group Messenger-UDP

access-list outbound permit ip Permited-Inside-IPBlock 255.x.y.z 64.4.13.0 255.255.255.0

access-list outbound deny tcp any any object-group Messenger-TCP

access-list outbound deny udp any any object-group Messenger-UDP

access-list outbound deny ip any 64.4.13.0 255.255.255.0

.... Add there all other permited ports ....

access-group outbound in interface inside

sincerely

Patrick

Click on Rate this Post to help identify the most useful NetPro content.

josky.jara · ‎02-09-2006

Hello Patrick, I'm in a similar situation (block messenger and allow messenger for a little group), I tried to follow yours instruccions without luck...

could you help me?

thanks

srue · ‎02-09-2006

If you have any IPS/IDS unit it would be much easier. do you have one?

josky.jara · ‎02-09-2006

No I don't have one

:(