05-17-2006 11:39 PM
i know the router can use NBAR, i want to know ASA5500 can use NBAR too?
05-18-2006 10:20 AM
Hi,
ASA/PIX does not have NBAR feature. But ASA with SSM (IPS) can block P2P application.
You can use both of your firewall (using ACL) and Router (using NBAR) to filter P2P.
The following doc gives your some idea on how to implement it:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00801e419a.shtml
Hope this helps.
Rgds,
AK
05-18-2006 08:30 PM
Thanks reply.
My device have already installed the SSM module and i configed it to drop the P2P traffic, but it have no effect,the configuration as follow(the configuration is not full because cisco limited the message length to 4000 characters, and the server is error when i upload file. So if you want full configuration pls add my msn: zhecheng_fan at hotmail dot com, or give me your email, i send it to you):
!
interface E0/0
nameif outside
security-level 0
ip address X.X.2.162 255.255.255.240
!
interface E0/1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface E0/2
nameif dmz
security-level 50
ip address 172.16.1.254 255.255.255.0
!
passwd
ftp mode passive
object-group network WWW
description access www
network-object 192.168.0.1 255.255.255.255
object-group network Skype
description use Skype.
network-object 192.168.0.0 255.255.255.0
object-group network P2P
description not use P2P\QQ.
network-object 192.168.0.10 255.255.255.255
object-group service DMZ_Mail_Tcp tcp
port-object eq domain
port-object eq www
port-object eq pop3
port-object eq smtp
object-group service DMZ_Mail_UDP udp
port-object eq www
port-object eq domain
access-list inside_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.0
access-list inside_access_in extended permit tcp object-group WWW any eq www
access-list inside_access_in extended permit udp object-group WWW any eq domain
access-list inside_access_in extended permit tcp object-group WWW any
access-list inside_access_in extended permit udp object-group WWW any
access-list inside_access_in extended permit tcp object-group P2P any eq 1863
access-list inside_access_in extended permit udp object-group P2P any eq 1863
access-list inside_access_in extended deny tcp object-group P2P any
access-list inside_access_in extended permit tcp any host 172.16.1.253 eq pop3
access-list inside_access_in extended permit tcp any host 172.16.1.253 eq smtp
access-list inside_mpc_in_V2 extended permit udp object-group P2P any
access-list inside_mpc_in_V3 extended permit tcp object-group P2P any
access-list dmz_access_in extended permit tcp host 172.16.1.253 any object-group DMZ_Mail_Tcp
access-list dmz_access_in extended permit udp host 172.16.1.253 any object-group DMZ_Mail_UDP
access-list outside_access_in extended permit tcp any host X.X.2.163 object-group DMZ_Mail_Tcp
access-list outside_access_in extended permit udp any host X.X.2.163 object-group DMZ_Mail_UDP
!
http-map NoP2P
strict-http action allow log
port-misuse p2p action drop
port-misuse im action drop
!
asdm group WWW inside
asdm group Skype inside
asdm group P2P inside
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) X.X.2.163 172.16.1.253 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 61.28.2.161 1
timeout xlate 3:00:00
!
class-map inspection_default
match default-inspection-traffic
class-map Blk_P2P_Tcp
match access-list inside_mpc_in_V3
class-map Blk_P2P_Udp
match access-list inside_mpc_in_V2
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map inside-policy
class Blk_P2P_Tcp
inspect http NoP2P
ips inline fail-close
class Blk_P2P_Udp
inspect http NoP2P
ips inline fail-close
!
service-policy global_policy global
service-policy inside-policy interface inside
Cryptochecksum:xxxxxxxxxx
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide