Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 506e and Msn messager

How do I config. the PIX 506e to prevent my users from using MSN messager

  • Other Security Subjects
5 REPLIES
Cisco Employee

Re: PIX 506e and Msn messager

You should be able to just block TCP/UDP port 1863 and that'll be enough. You'll have to set this up on your inside interface to stop it going out, so something like:

> access-list nomsn deny tcp any any eq 1863

> access-list nomsn deny udp any any eq 1863

> access-list nomsn permit ip any any

> access-group nomsn in interface inside

should do the trick.

New Member

Re: PIX 506e and Msn messager

I thank you for your response.

When I inserted these lines, I was still able to sign onto Msn Messager, any other ideas.

Cisco Employee

Re: PIX 506e and Msn messager

MSN might try other ports if it can't get through. Try denying access to the MSN servers themselves with:

access-list nomsn deny ip any 64.4.13.0 255.255.255.0

access-list nomsn permit ip any any

access-group nomsn in interface inside

New Member

Re: PIX 506e and Msn messager

If you really want to prevent the use of Instant Messaging apps, the only sure way is to lock down the workstation to the point that they can no longer be loaded and make sure your companies Internet usage policy prohibits the use of IM applications.

Most IM programs in use today adapt themselves automatically to work behind a firewall. This includes unsing port 80, 23, or any other available port to get it's message through. That said, here's a few things I've found to work for me in the field.

To block AOL IM you can block port 5190 and the AIM authentication servers login.oscar.aol.com (current addresses: 64.12.161.185, 64.12.161.153)

Yahoo Messenger doesn't seem to use any standard port but you can try the same thing with blocking their login servers at (cs.yahoo.com and scsa.yahoo.com) 216.136.175.226, 216.136.226.209, 216.136.226.210, 216.136.233.132, 216.136.173.172, 216.136.173.179 and 216.136.233.128

MSN Messenger can be blocked with TCP Port 1863 and IP Range 64.4.13.0/24. I don't believe this will block out any web content with MSN, but use with caution.

ICQ can be blocked with ports 4000/UDP, 5190/TCP, and login.icq.com (205.188.179.233, 64.12.200.89).

I've found this info very useful in filtering the use of IM apps for my customers, and I'm sure you will too.

Bob

New Member

Re: PIX 506e and Msn messager

thanks to all for your responses

I must say, I am new to Cisco everything. So I'm using the java interface to enter these commands. After i entered Bob's commands, msn was still working. Here is what i did.

At the Rules/ Access screen, I added the following info.

Action = deny, Source = any, dest.= 64.4.13.0/24, interface=inside, service = ip

I also notice that MSN messager is using Port 80.

113
Views
0
Helpful
5
Replies