The PIX does not have the ability to perform deep packet inspection to the level needed to catch skype.
You could try to block UDP port 1247 and TCP ports 2940-3000 but if these ports are blocked, then skype uses 443 to tunnel out of the network to talk to the SN's (supernodes).
In order to effectively block skype, you must get down into the packet and start looking at the payload.
Here is what you have to do to block skype. You have to inspect the payload of the network (TCP, UDP) traffic. Otherwise, you cannot block Skype.
At login Skype sends a login message to the login server. The first two messages in that flow are:
0x1603010000 -> (5 bytes)
<- 0x1703010000 (5 bytes)
By blocking all incoming messages who have the signature 0x17030100, Skype is blocked.
Note that the first three bytes of client_key_exchange SSL message are
0x160301 which correspond to:
0x16: the message type is client_key_exchange
03 01: SSL version 3.1
Skype uses the SSL signature header for client to server message exchange. But for server to client message exchange, it uses a non-SSL based header. So by blocking packets that have this header (0x170301), one can effectively block Skype without blocking any other application.
The IPS module on the ASA can tag these skype packets and block them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...