Set rules by using the outbound command. I have 2 sets of outbound commands set on our 2 PIX 520's, we also have PIX 506. I have an implicit DENY statement at the beginning of the first outbound rule. Then I simply open the ports that users actually NEED. Now the main problem with this is that newer chat/IM clients will simply ride other ports to get out. Take yahoo instant messanger for instance. That is a very "intuitive program". It will ride port 80 and other very common ports including telnet and ftp to get out. WOW! tough to block right? well I just installed the app (Yahoo IM) and simply watched which specific chat servers it attached to. I then created outbound list number 2 to block each specific server for yahoo and MSN. At this point I have had no problem blocking AOL IM. It seems it just rides out on it's specific set of port lists. I haven't messed with ICQ though..
here's my rule set. These are the rules remember you still have to apply them .. I will post that as well for each rule
outbound 2 deny 18.104.22.168 255.255.255.255 0 ip
outbound 2 deny 22.214.171.124 255.255.255.255 0 ip
outbound 2 deny 126.96.36.199 255.255.255.255 0 ip
outbound 2 deny 188.8.131.52 255.255.255.255 0 ip
outbound 2 deny 184.108.40.206 255.255.255.255 0 ip
outbound 2 deny 220.127.116.11 255.255.255.255 0 ip
outbound 2 deny 18.104.22.168 255.255.255.255 0 ip
outbound 2 deny 22.214.171.124 255.255.255.255 0 ip
outbound 2 deny 126.96.36.199 255.255.255.255 0 ip
outbound 2 deny 188.8.131.52 255.255.255.255 0 ip
outbound 2 deny 184.108.40.206 255.255.255.255 0 ip
Some of the rules may be overdoing it, but it does work very very well. the first outbound rule is applied by issuing this command:
apply (inside) 1 outgoing_src
This command will set the second outbound rule (this takes care of the MSN/YAHOO servers .
apply (inside) 2 outgoing_dest
As you can see I do have an allow for a couple people to use Kazaa... one being myself, man i'm a hypocrite. IN any case this stuff can be pretty fun and easy, just look up more topics on Cisco's website for help with this
This approach may be working for you right now but, I guarantee you that you have not blocked all of the servers. AOL for example has hundreds of servers dedicated to AIM, the same goes for Yahoo and MSN just to name a few. I am not saying that it cannot be done but, you have to keep a constant eye on it to catch any new servers that pop up as their networks are constantly growing and they add new servers regularly do to keep up with the demand which is also growing.
Excellent point. That was a truncated version, I have had to add more. Kazaa on the other hand should be done with that set of rules. It runs over port 1214. On to MSN. Something I did find interesting with msn is this. It seems to be very dependant on one single server or set of servers being served by round robin DNS or something like that. Now realistically would it be surprising for M$ to do this given their track record? I started blocking all the "chat" servers. But their was one single server that I didn't block. Once I noticed it and took care of it, bam no matter how long I left the client on it wouldn't work no matter what I tried. If their is a better way to do this please let me know?!
Notice below the various chat servers with names httpXX.msgr.hotmail.com where XX= number of server
well now keep looking down the list and see that when I simply blocked gateway.messenger.hotmail.com nothing... I mean nothing from MSN IM worked... Would Microsoft really be this dumb? I dunno, but for now it IS working. I started blocking it server by server until I found that one and boom dead.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...