Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How to block chat services

How can a ASA firewall or router be configured to block small company's employees from accessing their Yahoo email and chat services?

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: How to block chat services

Hi

you need to create a access-lists to resolve your issue.here's is the sample configuration.go thru the following link

http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/san-os/configuration/guide/ipacl.html

Thanks and regards

S.Mohana sundaram

INDSYSS Technologies

+91 98940 44411,mohans@indsys.co.in

Bronze

Re: How to block chat services

Very simply put, block the IP range.

deny ip (your network) (your mask) 69.147.64.0 0.0.63.255

That will block all communications to all of Yahoo's IPs (at least in the US) if used in an extended access list. I believe it even encompasses the IM servers.

9 REPLIES
New Member

Re: How to block chat services

Hi

you need to create a access-lists to resolve your issue.here's is the sample configuration.go thru the following link

http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/sw/rel_2_x/san-os/configuration/guide/ipacl.html

Thanks and regards

S.Mohana sundaram

INDSYSS Technologies

+91 98940 44411,mohans@indsys.co.in

Bronze

Re: How to block chat services

Very simply put, block the IP range.

deny ip (your network) (your mask) 69.147.64.0 0.0.63.255

That will block all communications to all of Yahoo's IPs (at least in the US) if used in an extended access list. I believe it even encompasses the IM servers.

New Member

Re: How to block chat services

But blocking those IP's would deny your users to get out to yahoo.com? What about getting some type of a web filter or IDS/IPS?

Bronze

Re: How to block chat services

Sure, but what does Yahoo offer that you can't get at say, Google, MSN, or CNN?

But if you don't block Yahoo's entire range, users will still be able to use Yahoo's web mail and web messenger since they travel over port 80.

Tossing an opinion into the mix, it's more administrative overhead than it's worth considering Yahoo is no longer a top search engine, and any news/services it offers can be found elsewhere. Not to mention, getting a web filter and/or IDS/IPS to do the job (or even content switching) would incur a cost that can be easily avoided by an ACL blocking the IP range.

New Member

Re: How to block chat services

Problem is, if you have to block chat services, and you take this approach, then you have to block MSN chat, google chat, AOL chat...and if you're blocking the whole range, before you know it half the internet is blocked...

New Member

Re: How to block chat services

Just create an ACL to block everything 0.0.0.0 LOL. Then no problem at all.. :-) Unless he really don't like yahoo at all and he is only allowing google chat, msn chat.

Bronze

Re: How to block chat services

Not really, as Gmail uses a specific server to log in (mail.google.com), MSN chat has no web interface as far as I know, and AOL chat uses login.messaging.aol.com (and their web version uses aimexpress.aol.com, so that can be pinpointed as well.

Of course, I suppose the idea of Yahoo chat not being sanctioned as an acceptable chat client by a company completely escaped your thought process, no?

New Member

Re: How to block chat services

On a router you could use nbar.

Tim

New Member

Re: How to block chat services

I would recommend using black hole DNS to do this. You can create wildcard records for the IM sites on your DNS server. These wildcard records would be pointed to the loopback address or corp web site.

The final step is to use the ASA to only allow your internal (trusted) DNS servers to do outbound DNS queries UDP/53 (everyone else gets denied).

HTH

- Iain

474
Views
0
Helpful
9
Replies
CreatePlease to create content