Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
6
Helpful
4
Replies

can not block messengers???

vikrantarora
Level 1
Level 1

‎03-20-2003 06:26 AM - edited ‎03-09-2019 02:35 AM

I have the following access lists on my pix 6.2

access-list acl_in deny tcp any any eq 1863 (hitcnt=0)

access-list acl_in deny udp any any eq 1863 (hitcnt=0)

access-list acl_in deny ip any 64.4.13.0 255.255.255.0 (hitcnt=0)

access-list acl_in deny ip any 64.4.0.0 255.255.0.0 (hitcnt=0)

access-list acl_in deny udp any any eq 5190 (hitcnt=0)

access-list acl_in deny udp any any eq 4000 (hitcnt=0)

access-list acl_in deny tcp any any eq 4000 (hitcnt=0)

access-list acl_in deny tcp any any eq aol (hitcnt=0)

access-list acl_in deny ip any host 64.12.161.153 (hitcnt=0)

access-list acl_in deny ip any host 64.12.161.53 (hitcnt=0)

access-list acl_in deny ip any host 64.12.161.185 (hitcnt=0)

access-list acl_in deny ip any host 216.136.233.128 (hitcnt=0)

access-list acl_in deny ip any host 216.136.224.142 (hitcnt=0)

access-list acl_in deny ip any host 216.136.225.238 (hitcnt=0)

access-list acl_out deny udp host 64.12.13.0 any

access-list acl_out deny udp any any eq 5190

access-list acl_out deny udp any any eq 1863

access-list acl_out deny tcp any any eq 1863

access-list acl_out deny udp any any eq 4000

access-list acl_out deny tcp any any eq 4000

access-list acl_out deny ip 64.4.13.0 255.255.255.0 any

access-list acl_out deny ip 64.4.0.0 255.255.0.0 any

access-list acl_out deny ip host 64.12.161.153 any

access-list acl_out deny ip host 64.12.161.53 any

access-list acl_out deny ip host 64.12.161.185 any

access-list acl_out deny ip host 216.136.233.128 any

access-list acl_out deny ip host 216.136.224.142 any

access-list acl_out deny ip host 216.136.225.238 any

But, I am not able to block eitehr yahoo messenger, msn messenger, AOL messenger or ICQ. Why so??

The ip addresses above are for the following IP hosts

cs.yahoo.com 216.136.233.128

scsa.yahoo.com 216.136.224.142

msg.edit.yahoo.com 216.136.225.238

msn

IP Range 64.4.13.0/24 or 64.4.0.0. - 64.4.63.255

Labels:
0 Helpful
4 Replies 4

nsteup
Level 1
Level 1

‎03-20-2003 11:52 PM

Hi there,

the access-lists are not complete are they? So where are your access-list permit statement placed? At the beginning or at the end of your acls? Did you bind the acls inwards to the interfaces? Perhaps it is possible to post a bit more of your config here.

Kind regards

Norbert

vikrantarora
Level 1
Level 1
In response to nsteup

‎03-21-2003 05:42 AM

Pix-Admin1# show access-list

access-list acl_in;

access-list acl_in permit icmp any any 47 (hitcnt=0)

access-list acl_in deny ip host latoya any (hitcnt=0)

access-list acl_in deny ip any send4fun 255.255.255.0 (hitcnt=1251)

access-list acl_in deny ip any host 65.121.237.200 (hitcnt=91)

access-list acl_in permit tcp any any eq www (hitcnt=71610)

access-list acl_in permit tcp any any eq smtp (hitcnt=1821)

access-list acl_in permit tcp any any eq https (hitcnt=5763)

access-list acl_in permit tcp any any eq pop3 (hitcnt=2)

access-list acl_in permit tcp any any eq ftp (hitcnt=78)

access-list acl_in permit tcp any any eq 8888 (hitcnt=0)

access-list acl_in permit tcp any host venus eq 8000 (hitcnt=0)

access-list acl_in permit tcp any any eq telnet (hitcnt=16)

access-list acl_in permit tcp any any eq 8080 (hitcnt=92)

access-list acl_in permit tcp any host finaid eq 26581 (hitcnt=0)

access-list acl_in permit tcp any any eq 8001 (hitcnt=0)

access-list acl_in permit tcp host DNS-ECC any eq domain (hitcnt=1)

access-list acl_in permit tcp any any eq 18080 (hitcnt=0)

access-list acl_in permit ip host 204.142.253.227 any (hitcnt=0)

access-list acl_in permit tcp host 204.142.253.227 any (hitcnt=0)

access-list acl_in permit ip host chang any (hitcnt=0)

access-list acl_in permit tcp host chang any (hitcnt=0)

access-list acl_in permit tcp any host seddiki (hitcnt=0)

access-list acl_in permit ip any host seddiki (hitcnt=0)

access-list acl_in permit tcp host seddiki any (hitcnt=0)

access-list acl_in permit ip host 204.142.81.96 any (hitcnt=0)

access-list acl_in permit tcp host 204.142.81.96 any (hitcnt=0)

access-list acl_in deny tcp any x10 255.255.255.0 (hitcnt=0)

access-list acl_in permit tcp host LotusSrv any eq lotusnotes (hitcnt=78)

access-list acl_in permit udp host DNS-ECC any eq domain (hitcnt=102443)

access-list acl_in permit icmp any any (hitcnt=193)

access-list acl_in deny tcp any any eq 1863 (hitcnt=0)

access-list acl_in deny udp any any eq 1863 (hitcnt=0)

access-list acl_in deny ip any 64.4.13.0 255.255.255.0 (hitcnt=0)

access-list acl_in deny ip any 64.4.0.0 255.255.0.0 (hitcnt=0)

access-list acl_in deny udp any any eq 5190 (hitcnt=0)

access-list acl_in deny udp any any eq 4000 (hitcnt=0)

access-list acl_in deny tcp any any eq 4000 (hitcnt=0)

access-list acl_in deny tcp any any eq aol (hitcnt=0)

access-list acl_in deny ip any host 64.12.161.153 (hitcnt=0)

access-list acl_in deny ip any host 64.12.161.53 (hitcnt=0)

access-list acl_in deny ip any host 64.12.161.185 (hitcnt=0)

access-list acl_in deny ip any host 216.136.233.128 (hitcnt=0)

access-list acl_in deny ip any host 216.136.224.142 (hitcnt=0)

access-list acl_in deny ip any host 216.136.225.238 (hitcnt=0)

access-list acl_out;

access-list acl_out permit tcp any host LotusSrv eq lotusnotes (hitcnt=0)

access-list acl_out permit tcp any host venus eq www (hitcnt=538)

access-list acl_out permit udp any host DNS-ECC eq domain (hitcnt=8756)

access-list acl_out permit tcp any host websrv eq www (hitcnt=13190)

access-list acl_out permit tcp any host mail-81 eq smtp (hitcnt=6)

access-list acl_out permit tcp any host mail-89 eq smtp (hitcnt=6882)

access-list acl_out permit tcp any host webcam1 eq www (hitcnt=2)

access-list acl_out permit tcp any host venus eq https (hitcnt=3565)

access-list acl_out permit tcp any any eq ftp (hitcnt=0)

access-list acl_out permit icmp any any echo-reply (hitcnt=77)

access-list acl_out permit tcp any host DNS-ECC eq domain (hitcnt=3)

access-list acl_out permit tcp any host elecktra2 eq telnet (hitcnt=3)

access-list acl_out permit tcp any host mail-253 eq smtp (hitcnt=2)

access-list acl_out permit ip any host mobileman (hitcnt=167)

access-list acl_out permit tcp any host bookstore eq telnet (hitcnt=0)

access-list acl_out permit tcp any host elecktra2 eq 5500 (hitcnt=0)

access-list acl_out permit tcp any host mail-81 eq www (hitcnt=1035)

access-list acl_out permit tcp any host mail-81 eq pop3 (hitcnt=2)

access-list acl_out permit ip host nebraska host posadmin (hitcnt=0)

access-list acl_out permit tcp object-group innovative host elecktra2 object-gro

up webopac_services

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 range 44

40 4447 (hitcnt=0)

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 2000

(hitcnt=0)

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 4999

(hitcnt=0)

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 4600

(hitcnt=0)

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 1030

(hitcnt=0)

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq 8080

(hitcnt=0)

access-list acl_out permit tcp innovative1 255.255.255.0 host elecktra2 eq www (

hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 range 44

40 4447 (hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 2000

(hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 4999

(hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 4600

(hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 1030

(hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq 8080

(hitcnt=0)

access-list acl_out permit tcp innovative3 255.255.255.0 host elecktra2 eq www (

hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 range 44

40 4447 (hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 2000

(hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 4999

(hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 4600

(hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 1030

(hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq 8080

(hitcnt=0)

access-list acl_out permit tcp innovative4 255.255.255.0 host elecktra2 eq www (

hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 range 44

40 4447 (hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 2000

(hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 4999

(hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 4600

(hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 1030

(hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq 8080

(hitcnt=0)

access-list acl_out permit tcp innovative5 255.255.255.0 host elecktra2 eq www (

hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 range 44

40 4447 (hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 2000

(hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 4999

(hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 4600

(hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 1030

(hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq 8080

(hitcnt=0)

access-list acl_out permit tcp innovative6 255.255.255.0 host elecktra2 eq www (

hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 range 44

40 4447 (hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 2000

(hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 4999

(hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 4600

(hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 1030

(hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq 8080

(hitcnt=0)

access-list acl_out permit tcp innovative2 255.255.255.0 host elecktra2 eq www (

hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 rang

e 4440 4447 (hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 2

000 (hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 4

999 (hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 4

600 (hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 1

030 (hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq 8

080 (hitcnt=0)

access-list acl_out permit tcp 209.11.72.128 255.255.255.224 host elecktra2 eq w

ww (hitcnt=0)

access-list acl_out permit tcp any host elecktra2 eq www (hitcnt=239)

access-list acl_out permit ip any host ahmed (hitcnt=60)

access-list acl_out permit tcp any host ahmed (hitcnt=0)

access-list acl_dmz; 4 elements

access-list acl_dmz permit tcp any any eq www (hitcnt=0)

access-list acl_dmz permit tcp host venus any (hitcnt=17)

access-list acl_dmz permit ip host venus any (hitcnt=170)

access-list acl_dmz permit icmp any any (hitcnt=0)

access-list 100; 3 elements

access-list 100 permit ip 204.142.0.0 255.255.0.0 192.168.1.0 255.255.255.0 (hit

cnt=0)

access-list 100 permit ip 192.231.0.0 255.255.0.0 192.168.1.0 255.255.255.0 (hit

cnt=0)

access-list 100 permit ip 10.0.0.0 255.255.0.0 198.168.1.0 255.255.255.0 (hitcnt

=0)

access-list 200; 4 elements

access-list 200 permit ip 204.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 (hitcnt=

60)

access-list 200 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 (hitcnt=0

)

access-list 200 permit ip 192.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 (hitcnt=

0)

access-list 200 permit ip 204.142.253.0 255.255.255.0 192.168.1.0 255.255.255.0

(hitcnt=0)

Pix-Admin1# show access-group

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group acl_dmz in interface dmz:2

0 Helpful

nsteup
Level 1
Level 1
In response to vikrantarora

‎03-24-2003 09:31 AM

Hi,

thanks for the posting. I don't know how all the messangers are working. But I think the permit tcp any any eq www and the following statements in your access-list acl_in would allow the traffic. Many tools use the www-protocol to keep working beheind firewalls or proxies (I know it from ICQ). Some look for allowed ports an will use them. If you really want to block the messangers, allow WEB-access only via proxy and configure allowed access there.

Regards Norbert

0 Helpful

vikrantarora
Level 1
Level 1
In response to nsteup

‎03-24-2003 09:38 AM

hi,

thanks for your time. i just wanted to tell u that i have been able to block all the messengers by moving all the deny rules for messengers above the access list

acl_in pemit tcp any any eq www

Thought you would be curious!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents