Blcok AIM traffic from one IP

[kendaukcat]

Hello all...I have a user who is abusing AOL Instant Meesenger.

I am trying to block port 5190 for this user, but am not having any success. Any thoughts on what the correct access list command should be?

The users IP is 10.1.210.110.

Thanks in Advance.

Ken

 

[ixleplix]

These are the commands you'll need:
Replace ACL_Name with whatever you want to name the ACL.

access-list ACL_Name deny tcp host 10.1.210.110 any eq 5190
access-list ACL_Name permit ip any any
access-list ACL_Name permit esp any any
you need the one above if you're running any vpn clients internally.
access-group ACL_Name in interface inside

Keep in mind, a lot of the IM clients migrate ports if the primary one is blocked. So if this doesn't work, you'll want to find the IP address or range of addresses that AOL uses to host AIM and prevent that PC from accessing them.


Roland


*****************

What's ADD again?

 

[N0ktar]

http://www.imlogic.com/products/im_detectorpro.asp

 

[kendaukcat]

Thank you for the input. Unfortunately, this did not work and the end user is still IM'ing his little fingers off

Here are the access lists copied from a sh run:


access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp 63.210.233.0 255.255.255.0 any
access-list 102 permit ip 10.1.210.0 255.255.255.0 10.1.209.0 255.255.255.0
access-list 102 permit ip 10.1.210.0 255.255.255.0 10.5.0.0 255.255.248.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.1.8.0 255.255.248.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.0.8.0 255.255.248.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.1.208.0 255.255.255.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.1.209.0 255.255.255.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.1.24.0 255.255.248.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.1.211.0 255.255.255.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.1.212.0 255.255.255.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 110 permit ip 10.1.210.0 255.255.255.0 10.5.0.0 255.255.248.0
access-list 115 permit ip 10.1.210.0 255.255.255.0 10.1.8.0 255.255.248.0
access-list 115 permit ip 10.1.210.0 255.255.255.0 10.0.8.0 255.255.248.0
access-list 115 permit ip 10.1.210.0 255.255.255.0 10.1.24.0 255.255.248.0
access-list 120 permit ip 10.1.210.0 255.255.255.0 10.1.211.0 255.255.255.0
access-list 121 permit ip 10.1.210.0 255.255.255.0 10.1.208.0 255.255.255.0
access-list 122 permit ip 10.1.210.0 255.255.255.0 10.1.212.0 255.255.255.0
access-list 123 permit ip 10.1.210.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 124 deny tcp host 10.1.210.110 any eq aol
access-list 124 permit ip any any
access-list 124 permit esp any any

Where to go from here?

Thanks in Advance.

Ken

 

[kurttorok]

AIM can use just about any open port to communicate with AOL. Without using PIX 7.0 and using the inspection/IPS/application abuse tools, there's not much you can do to control this behavior.

If you're user isn't all that swift, I would add a static host entry on his machine that points login.oscar.aol.com to a 127.0.0.1 address. That would stop him dead in his tracks. This will work as long as you don't override DNS search methods locally with a group policy or something like that.

Kurt