Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

block google talk on a pix

Status
Not open for further replies.
aschwartz71

aschwartz71

Technical User
Jun 3, 2006
32
US
I have a pix 515 firewall, and I am pretty new to these, I currently only know how to use the GUI (ASDM) and barely at that. I need to block the google talk application, I was able to block the web based version on gmail, just the chat not gmail itself. I am not sure of how to do this, I dont want to block anything but the google chat itself, is there a way to do this?
 
Sort by date Sort by votes
You'll need to create an Access Control List to block the traffic. Here's a little reading from Google's support page regarding the necessary ports for IM:
In order to connect to Google Talk and start sending IMs, you'll need to enable TCP connections to talk.google.com on port 5222, or on port 443.
Click to expand...
We would need to see a scrubbed copy of your current PIX config to see what ACL's you currently have in place so that we can make recommendations.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Here is my running config with server names and IPs blanked, and I removed a bit of the middle, where it listed remarks of all of my sites and translations:
Result of the command: "show running-config"

: Saved
:
PIX Version 8.0(3)12
!
hostname fw-srb-us-001
domain-name wst.local
enable password * encrypted
passwd * encrypted
names
name 10.2.0.0 nw-mis-ca-001
name 10.1.0.0 nw-srb-us-001
name 172.16.0.0 nw-srb-us-002
name 172.16.0.2 server002 description Blackberry server
name 172.16.0.4 server004 description Exchange server
name 172.16.0.20 server020
name 10.1.30.0 VPN_Home_access
name 10.1.30.128 VPN_IT_Access
name 172.16.0.42 server042 description Websense Email filter
name 172.16.0.30 server030
dns-guard
!
interface Ethernet0
nameif Outside
security-level 0
ip address outside 255.255.255.128 standby outside
ospf cost 10
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.24.1 255.255.224.0 standby 10.1.24.2
ospf cost 10
!
boot system flash:/pix.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.16.0.1
domain-name wst.local
object-group service ACLG-PublicWebService tcp
port-object eq www
port-object eq https
object-group service ACLG-TerminalService tcp
port-object eq 3389
object-group service ACLG-PublicFTPService tcp
port-object eq ftp
object-group service ACLG-Public-EDI_In tcp
port-object eq 5080
port-object eq www
port-object eq https
object-group service ACLG-Public-EDI_Out tcp
port-object eq 5080
port-object eq ftp
port-object eq www
port-object eq https
port-object range 6366 6419
object-group network ng-srb-us-001
network-object nw-srb-us-001 255.255.224.0
network-object nw-srb-us-002 255.255.0.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq 1537
port-object eq 1570
object-group network DM_INLINE_NETWORK_1
network-object nw-srb-us-001 255.255.224.0
network-object nw-srb-us-002 255.255.0.0
object-group network DM_INLINE_NETWORK_2
network-object nw-srb-us-001 255.255.224.0
network-object nw-srb-us-002 255.255.0.0
object-group network DM_INLINE_NETWORK_3
network-object host server020
network-object host server004
network-object host server042
object-group service test85 tcp
port-object eq 85
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 any eq smtp
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit udp any IP0 255.255.255.128 eq snmp
access-list inside_access_in extended permit tcp any any eq aol
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit tcp any any eq 1863
access-list inside_access_in remark IBM Director
access-list inside_access_in extended permit tcp any any eq 7618
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit tcp host 172.16.0.19 any eq 3101
access-list inside_access_in extended permit tcp host 172.16.0.225 any object-group ACLG-Public-EDI_Out
access-list inside_access_in extended permit ip any nw-mis-ca-001 255.255.224.0
access-list inside_access_in extended permit tcp any any object-group test85
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list inside_access_in remark IBM Director
access-list Outside_access_in remark Terminal Services to server038
access-list Outside_access_in extended permit tcp any host IP4 object-group ACLG-TerminalService
access-list Outside_access_in remark Terminal Services to server026
access-list Outside_access_in extended permit tcp any host IP5 object-group ACLG-TerminalService
access-list Outside_access_in remark Terminal Services to server039
access-list Outside_access_in extended permit tcp any host IP11 object-group ACLG-TerminalService

access-list Outside_access_in extended permit tcp any host IP122 eq https
access-list Outside_access_in extended permit tcp VPN_Home_access 255.255.255.128 host 172.16.0.9 eq 3389
access-list Outside_access_in extended deny ip VPN_Home_access 255.255.255.128 any
access-list Outside_access_in extended permit ip VPN_IT_Access 255.255.255.128 any
access-list Outside_access_in extended permit ip nw-mis-ca-001 255.255.224.0 any
access-list Outside_access_in extended permit icmp any any echo
access-list Outside_access_in extended permit icmp any any echo-reply
access-list Outside_access_in remark Terminal Services to server038
access-list Outside_access_in remark Vendornet.Programmers.com
access-list Outside_access_in remark Terminal Services to server009
access-list Outside_access_in remark Terminal Services to server039

access-list inside_nat0_outbound extended permit ip any VPN_Home_access 255.255.255.128
access-list inside_nat0_outbound extended permit ip any VPN_IT_Access 255.255.255.128
access-list inside_nat0_outbound extended permit ip nw-srb-us-002 255.255.0.0 VPN_Home_access 255.255.255.128
access-list inside_nat0_outbound extended permit ip any nw-mis-ca-001 255.255.224.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 nw-mis-ca-001 255.255.224.0
access-list Local_LAN_Shrewsburry standard permit nw-srb-us-001 255.255.224.0
access-list Local_LAN_Shrewsburry standard permit nw-srb-us-002 255.255.0.0
access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 nw-mis-ca-001 255.255.224.0
access-list Outside_1_cryptomap extended permit ip object-group ng-srb-us-001 nw-mis-ca-001 255.255.224.0
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu inside 1500
ip local pool vpn-temp 10.1.1.0-10.1.1.255 mask 255.255.255.0
ip local pool vpn-home 10.1.30.1-10.1.30.127 mask 255.255.255.128
ip local pool vpn-it VPN_IT_Access-10.1.30.255 mask 255.255.255.128
ip verify reverse-path interface Outside
ip verify reverse-path interface inside
failover
failover lan unit primary
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 IP3 netmask 255.255.255.128
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) IP4 172.16.30.4 netmask 255.255.255.255
static (inside,Outside) IP5 172.16.30.5 netmask 255.255.255.255
static (inside,Outside) IP11 172.16.30.11 netmask 255.255.255.255
static (inside,Outside) IP16 172.16.1.233 netmask 255.255.255.255
static (inside,Outside) IP18 172.16.30.18 netmask 255.255.255.255
static (inside,Outside) IP19 172.16.30.19 netmask 255.255.255.255
static (inside,Outside) IP29 172.16.30.29 netmask 255.255.255.255
static (inside,Outside) IP30 172.16.30.30 netmask 255.255.255.255
static (inside,Outside) IP33 172.16.30.33 netmask 255.255.255.255
static (inside,Outside) IP34 172.16.30.34 netmask 255.255.255.255
static (inside,Outside) IP38 172.16.30.38 netmask 255.255.255.255
static (inside,Outside) IP42 172.16.30.42 netmask 255.255.255.255
static (inside,Outside) IP46 172.16.30.46 netmask 255.255.255.255
static (inside,Outside) IP50 172.16.30.50 netmask 255.255.255.255
static (inside,Outside) IP53 172.16.30.53 netmask 255.255.255.255
static (inside,Outside) IP54 172.16.30.54 netmask 255.255.255.255
static (inside,Outside) IP60 172.16.1.25 netmask 255.255.255.255
static (inside,Outside) IP61 172.16.30.61 netmask 255.255.255.255
static (inside,Outside) IP62 172.16.30.62 netmask 255.255.255.255
static (inside,Outside) IP65 172.16.30.65 netmask 255.255.255.255
static (inside,Outside) IP66 172.16.30.66 netmask 255.255.255.255
static (inside,Outside) IP69 172.16.30.69 netmask 255.255.255.255
static (inside,Outside) IP70 172.16.30.70 netmask 255.255.255.255
static (inside,Outside) IP73 172.16.30.73 netmask 255.255.255.255
static (inside,Outside) IP74 172.16.30.74 netmask 255.255.255.255
static (inside,Outside) IP76 172.16.30.76 netmask 255.255.255.255
static (inside,Outside) IP77 172.16.30.77 netmask 255.255.255.255
static (inside,Outside) IP78 172.16.30.78 netmask 255.255.255.255
static (inside,Outside) IP80 172.16.30.80 netmask 255.255.255.255
static (inside,Outside) IP81 172.16.30.81 netmask 255.255.255.255
static (inside,Outside) IP82 172.16.30.82 netmask 255.255.255.255
static (inside,Outside) IP83 172.16.30.83 netmask 255.255.255.255
static (inside,Outside) IP84 172.16.30.84 netmask 255.255.255.255
static (inside,Outside) IP85 172.16.30.85 netmask 255.255.255.255
static (inside,Outside) IP86 172.16.30.86 netmask 255.255.255.255
static (inside,Outside) IP89 172.16.30.89 netmask 255.255.255.255
static (inside,Outside) IP90 172.16.30.90 netmask 255.255.255.255
static (inside,Outside) IP92 172.16.30.92 netmask 255.255.255.255
static (inside,Outside) IP93 172.16.30.93 netmask 255.255.255.255
static (inside,Outside) IP94 172.16.30.94 netmask 255.255.255.255
static (inside,Outside) IP97 172.16.30.97 netmask 255.255.255.255
static (inside,Outside) IP98 172.16.30.98 netmask 255.255.255.255
static (inside,Outside) IP99 172.16.30.99 netmask 255.255.255.255
static (inside,Outside) IP100 172.16.30.100 netmask 255.255.255.255
static (inside,Outside) IP102 172.16.30.102 netmask 255.255.255.255
static (inside,Outside) IP103 172.16.30.103 netmask 255.255.255.255
static (inside,Outside) IP104 172.16.30.104 netmask 255.255.255.255
static (inside,Outside) IP105 172.16.30.105 netmask 255.255.255.255
static (inside,Outside) IP106 172.16.30.106 netmask 255.255.255.255
static (inside,Outside) IP107 172.16.30.107 netmask 255.255.255.255
static (inside,Outside) IP108 172.16.30.108 netmask 255.255.255.255
static (inside,Outside) IP109 172.16.30.109 netmask 255.255.255.255
static (inside,Outside) IP110 172.16.30.110 netmask 255.255.255.255
static (inside,Outside) IP111 172.16.30.111 netmask 255.255.255.255
static (inside,Outside) IP112 172.16.30.112 netmask 255.255.255.255
static (inside,Outside) IP113 172.16.30.113 netmask 255.255.255.255
static (inside,Outside) IP114 172.16.30.114 netmask 255.255.255.255
static (inside,Outside) IP117 172.16.30.117 netmask 255.255.255.255
static (inside,Outside) IP121 172.16.0.88 netmask 255.255.255.255
static (inside,Outside) IP122 172.16.30.122 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
route Outside 0.0.0.0 0.0.0.0 IP1 1
route inside nw-srb-us-001 255.255.224.0 10.1.249.1 1
route inside nw-srb-us-002 255.255.0.0 10.1.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RSA protocol sdi
aaa-server RSA (inside) host 172.16.0.16
aaa-server AD protocol nt
aaa-server AD (inside) host 172.16.0.1
nt-auth-domain-controller 172.16.0.1
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside server002 community public version 2c
snmp-server location US-Shrewsbury
snmp-server contact MIS Department
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group7
crypto map Outside_map 1 set peer 207.236.81.82
crypto map Outside_map 1 set transform-set ESP-AES-256-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 7
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
ntp server 172.16.0.1 source inside prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.16.0.1
dns-server value 172.16.0.1
vpn-tunnel-protocol l2tp-ipsec
default-domain value paradise.com
group-policy vpn-home-tunnel internal
group-policy vpn-home-tunnel attributes
dns-server value 172.16.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Shrewsburry
default-domain value wst.local
group-policy vpn-it-tunnel internal
group-policy vpn-it-tunnel attributes
wins-server value 172.16.0.1
dns-server value 172.16.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Shrewsburry
default-domain value wst.local
group-policy vpn-ms-tunnel internal
group-policy vpn-ms-tunnel attributes
wins-server value 172.16.0.1
dns-server value 172.16.0.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Shrewsburry
default-domain value paradise.com
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AD
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group vpn-home-tunnel type remote-access
tunnel-group vpn-home-tunnel general-attributes
address-pool vpn-home
authentication-server-group RSA
default-group-policy vpn-home-tunnel
tunnel-group vpn-home-tunnel ipsec-attributes
pre-shared-key *
tunnel-group vpn-it-tunnel type remote-access
tunnel-group vpn-it-tunnel general-attributes
address-pool vpn-it
authentication-server-group RSA
default-group-policy vpn-it-tunnel
tunnel-group vpn-it-tunnel ipsec-attributes
pre-shared-key *
tunnel-group vpn-ms-tunnel type remote-access
tunnel-group vpn-ms-tunnel general-attributes
address-pool vpn-home
authentication-server-group AD
default-group-policy vpn-ms-tunnel
tunnel-group vpn-ms-tunnel ipsec-attributes
pre-shared-key *
tunnel-group 207.236.81.82 type ipsec-l2l
tunnel-group 207.236.81.82 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a12c505a46af0ad40f496706ab52244
: end
 
Upvote 0 Downvote
Ok you'll want to do something like this:
Code: 
PIX(config)# access-list inside_access_in line 1 remark Deny IM traffic to talk.google.com
PIX(config)# access-list inside_access_in line 2 extended deny tcp any 216.239.51.125 eq https
PIX(config)# access-list inside_access_in line 3 extended deny tcp any 216.239.51.125 eq 5222
I also see that you have Websense available. Do you only have it configured to do filtering on SMTP traffic? If you can configure it to work with IM traffic it may be a better fit than what I've proposed above since addresses can change and port numbers can change over time.

Also, a computer use policy sent down from the powers that be can work wonders in situations like this. You can always create an ACE in your ACL to log all googletalk traffic so that you can bust the law breakers.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I am using the surfcontrol for web filtering, but it doesnt pick up anything from gtalk. I was able to block it so that the gmail chat stopped, but this one still works, I guess I could call them and see if they had any ideas.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
295
Sameer258
Sameer258
salanje87
  • Locked
  • Question
Block Broadcast storming.
Replies
3
Views
269
hairlessupportmonkey
hairlessupportmonkey
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
94
PauS0n
PauS0n
EdwardMcClelland
  • Locked
  • Question
Google DNS works with Sonic-wall installed. Cox doesn't.
Replies
1
Views
103
ChrisHirst
ChrisHirst
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
252
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top