https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525315#M525752 <HTML><HEAD></HEAD><BODY><P>Hi Patrick</P><P></P><P>Thank you very much. It is good now.</P><P>I have three small questions please </P><P>1- I don't know how tu use "netstat" command to see what servers messenger is connecting to.</P><P>2- How I can see the statistics about my "acl-inside"</P><P>3- After changing my TFTP server IP address on my Pix, I'm not able to save Pix configuration on my tftp server. I have the following error message "Building configuration </P><P>TFTP write /FAS/Pixconf at 10.75.3.13 on interface 1 Timed out attempting to connect"</P><P>[FAILED]</P><P></P><P>Regards</P><P>Ferdinand</P><P></P></BODY></HTML> Tue, 11 Apr 2006 08:02:36 GMT fmemevegny 2006-04-11T08:02:36Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525307#M525732 <P>I would like to block all instant messaging applications trafic on my pix 515. Some of them use socks protocol. Can someone help me to block these applications or this socks protocol on my pix 515 ?</P><P>Regards</P><P></P> Fri, 21 Feb 2020 08:49:35 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525307#M525732 fmemevegny 2020-02-21T08:49:35Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525308#M525736 <HTML><HEAD></HEAD><BODY><P>This was just answered by a thread below. </P><P></P><P></P><P>object-group service MSN_Messenger_tcp tcp </P><P>description MSN Messenger tries to use these ports </P><P>port-object eq www </P><P>port-object eq 1863 </P><P>port-object eq 7001 </P><P></P><P>object-group network MSN_Messenger_hosts </P><P>description hosts that MSN Messenger lives on </P><P>network-object 65.54.195.0 255.255.255.0 </P><P>network-object 65.54.225.0 255.255.255.0 </P><P>network-object 65.54.226.0 255.255.254.0 </P><P>network-object 65.54.228.0 255.255.254.0 </P><P>network-object host 65.54.240.61 </P><P>network-object host 65.54.240.62 </P><P>network-object 207.46.104.0 255.255.252.0 </P><P>network-object 207.46.108.0 255.255.255.0 </P><P>network-object 207.68.171.0 255.255.255.0 </P><P></P><P></P><P>access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp </P><P></P><P>Apply this to an acl on your inside interface.</P><P></P><P>Patrick</P></BODY></HTML> Thu, 06 Apr 2006 22:37:42 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525308#M525736 Patrick Laidlaw 2006-04-06T22:37:42Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525309#M525739 <HTML><HEAD></HEAD><BODY><P>Thank you very much for your help.</P><P>Regards</P><P></P></BODY></HTML> Fri, 07 Apr 2006 16:31:00 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525309#M525739 fmemevegny 2006-04-07T16:31:00Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525310#M525742 <HTML><HEAD></HEAD><BODY><P>Ferdinand,</P><P></P><P>Was wondering if you would rate this solution or check it if this solved your problem.</P><P></P><P>Patrick</P></BODY></HTML> Fri, 07 Apr 2006 20:06:40 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525310#M525742 Patrick Laidlaw 2006-04-07T20:06:40Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525311#M525746 <HTML><HEAD></HEAD><BODY><P>Hi Patrick</P><P></P><P>I correctly do what you tell me, but after applying the ACL on my inside interface, Internet access become impossible ; users cannot accede to Internet.</P><P>Can you tell why ?</P><P>I need your help please.</P><P></P><P>Regards</P><P>Ferdinand</P><P></P></BODY></HTML> Mon, 10 Apr 2006 16:25:19 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525311#M525746 fmemevegny 2006-04-10T16:25:19Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525312#M525748 <HTML><HEAD></HEAD><BODY><P>If you apply an explicit deny to the interface you also need to put an explicit permit. Did you apply this on the inside interface going out? If so, you need an </P><P></P><P>access-list (ACLNAME) permit ip any any </P></BODY></HTML> Mon, 10 Apr 2006 19:08:10 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525312#M525748 joneschw1 2006-04-10T19:08:10Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525313#M525750 <HTML><HEAD></HEAD><BODY><P>Thanks</P><P></P><P>I have not put an explicit permit. I will do it tomorrow and will inform you.</P><P>However when I apply the ACL on the inside interface going out, I have error. But when I apply it on the inside interface going in, I have no error. </P><P>Can you tell me why ?</P><P>Thank you for your help</P><P></P><P>Regards</P><P>Ferdinand</P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 10 Apr 2006 20:01:28 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525313#M525750 fmemevegny 2006-04-10T20:01:28Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525314#M525751 <HTML><HEAD></HEAD><BODY><P>Ferdinand,</P><P></P><P>access-list acl-inside deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp</P><P>access-list acl-inside permit ip any any</P><P></P><P>Sorry I was just giving you the exact line that you would need to block msn messenger. You may have to add more to your Messenger Hosts object group depending on the servers you connect to. The easiest way to do this is by running netstat on your pc to see what servers messenger is connecting to.</P><P></P><P>Patrick</P></BODY></HTML> Mon, 10 Apr 2006 22:03:54 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525314#M525751 Patrick Laidlaw 2006-04-10T22:03:54Z https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525315#M525752 <HTML><HEAD></HEAD><BODY><P>Hi Patrick</P><P></P><P>Thank you very much. It is good now.</P><P>I have three small questions please </P><P>1- I don't know how tu use "netstat" command to see what servers messenger is connecting to.</P><P>2- How I can see the statistics about my "acl-inside"</P><P>3- After changing my TFTP server IP address on my Pix, I'm not able to save Pix configuration on my tftp server. I have the following error message "Building configuration </P><P>TFTP write /FAS/Pixconf at 10.75.3.13 on interface 1 Timed out attempting to connect"</P><P>[FAILED]</P><P></P><P>Regards</P><P>Ferdinand</P><P></P></BODY></HTML> Tue, 11 Apr 2006 08:02:36 GMT https://community.cisco.com/t5/network-security/how-to-block-instant-messaging-applications-socks-protocol-on-my/m-p/525315#M525752 fmemevegny 2006-04-11T08:02:36Z