04-06-2006 02:18 PM - edited 02-21-2020 12:49 AM
I would like to block all instant messaging applications trafic on my pix 515. Some of them use socks protocol. Can someone help me to block these applications or this socks protocol on my pix 515 ?
Regards
Solved! Go to Solution.
04-06-2006 03:37 PM
This was just answered by a thread below.
object-group service MSN_Messenger_tcp tcp
description MSN Messenger tries to use these ports
port-object eq www
port-object eq 1863
port-object eq 7001
object-group network MSN_Messenger_hosts
description hosts that MSN Messenger lives on
network-object 65.54.195.0 255.255.255.0
network-object 65.54.225.0 255.255.255.0
network-object 65.54.226.0 255.255.254.0
network-object 65.54.228.0 255.255.254.0
network-object host 65.54.240.61
network-object host 65.54.240.62
network-object 207.46.104.0 255.255.252.0
network-object 207.46.108.0 255.255.255.0
network-object 207.68.171.0 255.255.255.0
access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp
Apply this to an acl on your inside interface.
Patrick
04-06-2006 03:37 PM
This was just answered by a thread below.
object-group service MSN_Messenger_tcp tcp
description MSN Messenger tries to use these ports
port-object eq www
port-object eq 1863
port-object eq 7001
object-group network MSN_Messenger_hosts
description hosts that MSN Messenger lives on
network-object 65.54.195.0 255.255.255.0
network-object 65.54.225.0 255.255.255.0
network-object 65.54.226.0 255.255.254.0
network-object 65.54.228.0 255.255.254.0
network-object host 65.54.240.61
network-object host 65.54.240.62
network-object 207.46.104.0 255.255.252.0
network-object 207.46.108.0 255.255.255.0
network-object 207.68.171.0 255.255.255.0
access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp
Apply this to an acl on your inside interface.
Patrick
04-07-2006 09:31 AM
Thank you very much for your help.
Regards
04-07-2006 01:06 PM
Ferdinand,
Was wondering if you would rate this solution or check it if this solved your problem.
Patrick
04-10-2006 09:25 AM
Hi Patrick
I correctly do what you tell me, but after applying the ACL on my inside interface, Internet access become impossible ; users cannot accede to Internet.
Can you tell why ?
I need your help please.
Regards
Ferdinand
04-10-2006 12:08 PM
If you apply an explicit deny to the interface you also need to put an explicit permit. Did you apply this on the inside interface going out? If so, you need an
access-list (ACLNAME) permit ip any any
04-10-2006 01:01 PM
Thanks
I have not put an explicit permit. I will do it tomorrow and will inform you.
However when I apply the ACL on the inside interface going out, I have error. But when I apply it on the inside interface going in, I have no error.
Can you tell me why ?
Thank you for your help
Regards
Ferdinand
04-10-2006 03:03 PM
Ferdinand,
access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp
access-list acl-inside permit ip any any
Sorry I was just giving you the exact line that you would need to block msn messenger. You may have to add more to your Messenger Hosts object group depending on the servers you connect to. The easiest way to do this is by running netstat on your pc to see what servers messenger is connecting to.
Patrick
04-11-2006 01:02 AM
Hi Patrick
Thank you very much. It is good now.
I have three small questions please
1- I don't know how tu use "netstat" command to see what servers messenger is connecting to.
2- How I can see the statistics about my "acl-inside"
3- After changing my TFTP server IP address on my Pix, I'm not able to save Pix configuration on my tftp server. I have the following error message "Building configuration
TFTP write /FAS/Pixconf at 10.75.3.13 on interface 1 Timed out attempting to connect"
[FAILED]
Regards
Ferdinand
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: