Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Block IRC/MSN/P2P/yahoo mess etc. Pix 515 Please Help

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
Hello

Could someone help me block the above. I don't want to add a whole range accesslists etc, is this the only way??. Is it possible to just remove a fixup protocol? Why dosen't the pix come configured everything blocked and then build your policy up from what you do need?

Thanks in advance!!

Pix Newbie!!
 
Sort by date Sort by votes
HI.

Yes, as rubbaninja wrote - this is the way.

Here is a sample to start with:

access-list frominside permit udp any any eq 53
access-list frominside permit tcp any any eq 53
access-list frominside permit tcp any any eq 80
access-list frominside permit tcp any any eq 443
access-list frominside permit tcp any any eq smtp
access-list frominside permit tcp any any eq ftp
etc...
access-list frominside in interface inside

This will not block all P2P applications, but will give you a good head start.

And, you will need to test it, so add these also:

logging on
logging buffer 4

And view the log:
show log

Or better use PDM logging and/or SYSLOG server which can give you few more options.

Look for traffic blocked by the access list frominside and see if you need to open additional ports.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar

I have installed the access-list and also bound them to a access-group as told. At the moment I'm still able to connect to msn but I do see hits on the access-list deny 1863 when i connect to msn. Do I have to block some other ports also??

Thanks in advance.

 
Upvote 0 Downvote
Messaging / Chat Application ports:

MSN Messenger Service TCP Port 1863

AOL Instant Messenger (AIM) TCP Port 5190

IRC TCP Port 194
 
Upvote 0 Downvote
HI.

Many newer P2P programs are firewall aware, and some of them can adopt to different session, including using port 80 .

Here are some optional solutions:
* Use a proxy server and only allow it to go out.
* Block P2P applications that use ports like 80 (which you want to leave open), by blocking ip addresses of servers.

Also search this forum. That issue has been discussed several times and you can find here more info about it.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
We have done the same here at our company but what we've done is blocked access to the subnets that the MSN, Morpheus, ICQ, and other P2P servers use. ICQ uses predefined ports... B-) =====================
hack4free@hotmail.com
=====================
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
697
Sameer258
Sameer258
salanje87
  • Locked
  • Question
Block Broadcast storming.
Replies
3
Views
558
hairlessupportmonkey
hairlessupportmonkey
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
602
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
651
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
134
tklamb
tklamb

Part and Inventory Search

Sponsor

Back
Top