Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can you block Hotmail but allow Messenger using a 2600 ACL

Hi, We use a Cisco 2600 router on our leased line. We want to block staff access to hotmail (in fact all external web mail sites) but still allow MSN Messenger (which we use to communicate with several home workers). I have played with blocking several IP addresses on an outbound ACL on the serial 0/0 interface but with limited success. Any hints and tips with regard to technique and IP to block etc? Thanks

5 REPLIES
Gold

Re: Can you block Hotmail but allow Messenger using a 2600 ACL

I block IPs 64.4.33.7 and 64.4.32.7 should be enough

M.

Re: Can you block Hotmail but allow Messenger using a 2600 ACL

Hi,

You'll struggle to do this reliably just using IP's as there's no guarantee they won't change and there's no way of reliably getting a list of even the big three (hotmail, gmail, yahoo) let alone any of the others (.mac, hushmail, lycos, muchomail, mail.com, etc etc). The only way to do this reliably is with a 3rd-party product like websense, webwasher, etc.

Note that if you use a default route to the Internet then any clued-up user just needs to point their browser at a public proxy to bypass your ACL - unless you have a list of all the public proxies..

Also - I'd ask why do you want to block web mail? (blocking IM is usually at the top of the list in a security policy along with P2P). The reasoning is that webmail usually has a built-in anti-virus whereas IM/P2P has the ability to share any damaging content.

Just some thoughts - HTH

Andrew.

Re: Can you block Hotmail but allow Messenger using a 2600 ACL

Hi,

you could use NBAR to block URLs, if your IOS does support it. This could look like this:

ip cef

class-map match-any BlockStuff

match protocol http url "*hotmail*"

match protocol http url "*gmail*"

policy-map BlockMail

class BlockStuff

drop

interface Serial0/0

service-policy output BlockMail

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: Can you block Hotmail but allow Messenger using a 2600 ACL

Thanks but I don't think my humble 2510 supports ip cef. You need a 7500 or a 12000 according to O'Reilly.

New Member

Re: Can you block Hotmail but allow Messenger using a 2600 ACL

I take it back - it seems that it does. I just now need to understand what this config is doing so I know what I am implementing. Many thanks.

220
Views
10
Helpful
5
Replies
CreatePlease login to create content