Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
5
Helpful
8
Replies

How to block instant messaging applications (socks protocol) on my pix 515

Go to solution
fmemevegny
Level 1
Level 1

‎04-06-2006 02:18 PM - edited ‎02-21-2020 12:49 AM

I would like to block all instant messaging applications trafic on my pix 515. Some of them use socks protocol. Can someone help me to block these applications or this socks protocol on my pix 515 ?

Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Laidlaw
Level 4
Level 4

‎04-06-2006 03:37 PM

This was just answered by a thread below.

object-group service MSN_Messenger_tcp tcp

description MSN Messenger tries to use these ports

port-object eq www

port-object eq 1863

port-object eq 7001

object-group network MSN_Messenger_hosts

description hosts that MSN Messenger lives on

network-object 65.54.195.0 255.255.255.0

network-object 65.54.225.0 255.255.255.0

network-object 65.54.226.0 255.255.254.0

network-object 65.54.228.0 255.255.254.0

network-object host 65.54.240.61

network-object host 65.54.240.62

network-object 207.46.104.0 255.255.252.0

network-object 207.46.108.0 255.255.255.0

network-object 207.68.171.0 255.255.255.0

access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

Apply this to an acl on your inside interface.

Patrick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Patrick Laidlaw
Level 4
Level 4

‎04-06-2006 03:37 PM

This was just answered by a thread below.

object-group service MSN_Messenger_tcp tcp

description MSN Messenger tries to use these ports

port-object eq www

port-object eq 1863

port-object eq 7001

object-group network MSN_Messenger_hosts

description hosts that MSN Messenger lives on

network-object 65.54.195.0 255.255.255.0

network-object 65.54.225.0 255.255.255.0

network-object 65.54.226.0 255.255.254.0

network-object 65.54.228.0 255.255.254.0

network-object host 65.54.240.61

network-object host 65.54.240.62

network-object 207.46.104.0 255.255.252.0

network-object 207.46.108.0 255.255.255.0

network-object 207.68.171.0 255.255.255.0

access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

Apply this to an acl on your inside interface.

Patrick

0 Helpful

Go to solution
fmemevegny
Level 1
Level 1
In response to Patrick Laidlaw

‎04-07-2006 09:31 AM

Thank you very much for your help.

Regards

0 Helpful

Go to solution
Patrick Laidlaw
Level 4
Level 4
In response to fmemevegny

‎04-07-2006 01:06 PM

Ferdinand,

Was wondering if you would rate this solution or check it if this solved your problem.

Patrick

0 Helpful

Go to solution
fmemevegny
Level 1
Level 1
In response to Patrick Laidlaw

‎04-10-2006 09:25 AM

Hi Patrick

I correctly do what you tell me, but after applying the ACL on my inside interface, Internet access become impossible ; users cannot accede to Internet.

Can you tell why ?

I need your help please.

Regards

Ferdinand

0 Helpful

Go to solution
joneschw1
Level 1
Level 1
In response to fmemevegny

‎04-10-2006 12:08 PM

If you apply an explicit deny to the interface you also need to put an explicit permit. Did you apply this on the inside interface going out? If so, you need an

access-list (ACLNAME) permit ip any any

0 Helpful

Go to solution
fmemevegny
Level 1
Level 1
In response to joneschw1

‎04-10-2006 01:01 PM

Thanks

I have not put an explicit permit. I will do it tomorrow and will inform you.

However when I apply the ACL on the inside interface going out, I have error. But when I apply it on the inside interface going in, I have no error.

Can you tell me why ?

Thank you for your help

Regards

Ferdinand

0 Helpful

Go to solution
Patrick Laidlaw
Level 4
Level 4
In response to fmemevegny

‎04-10-2006 03:03 PM

Ferdinand,

access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp

access-list acl-inside permit ip any any

Sorry I was just giving you the exact line that you would need to block msn messenger. You may have to add more to your Messenger Hosts object group depending on the servers you connect to. The easiest way to do this is by running netstat on your pc to see what servers messenger is connecting to.

Patrick

Go to solution
fmemevegny
Level 1
Level 1
In response to Patrick Laidlaw

‎04-11-2006 01:02 AM

Hi Patrick

Thank you very much. It is good now.

I have three small questions please

1- I don't know how tu use "netstat" command to see what servers messenger is connecting to.

2- How I can see the statistics about my "acl-inside"

3- After changing my TFTP server IP address on my Pix, I'm not able to save Pix configuration on my tftp server. I have the following error message "Building configuration

TFTP write /FAS/Pixconf at 10.75.3.13 on interface 1 Timed out attempting to connect"

[FAILED]

Regards

Ferdinand

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card