https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338067#M549296 <HTML><HEAD></HEAD><BODY><P>This should be possible, I have seen that the SOHO97 Router supports standard in extended ACLs.</P><P></P><P>The only thing that you have to change is to replace the access-list name by a number, lets say 101 and then add the access-list to the right interface.</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Thu, 14 Apr 2005 10:26:20 GMT Patrick Iseli 2005-04-14T10:26:20Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338063#M549292 <P>I have a CISCO PIX 501 Configured and working fine&#133;.</P><P>All I need is to block these things for my clients</P><P></P><P>YAHOO Messenger</P><P>MSN Messenger</P><P></P><P>And also I don&#146;t need to give www access ( Internet Browsing ) to few of my users.</P><P></P><P>But all must have access to use their outlook to send &#150; receive their e-mails.</P><P></P><P>Possible&#133;?? I am sure yeah it is possible..Can you tell me what commands I need to enter in my ACCESS-LIST.</P><P></P> Fri, 21 Feb 2020 08:04:39 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338063#M549292 ahmadnaveed 2020-02-21T08:04:39Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338064#M549293 <HTML><HEAD></HEAD><BODY><P>Naveed,</P><P></P><P>To stop MSN, add the following ACL to your inside interface:</P><P></P><P>access-list inside deny tcp any any eq 1863</P><P>access-list inside deny ip any 64.4.13.0 255.255.255.0</P><P>access-list inside deny ip any 207.46.110.0 255.255.255.0</P><P>access-list inside deny ip any 207.46.203.0 255.255.255.0</P><P>access-list inside permit ip any any</P><P>access-group inside in interface inside</P><P></P><P>Not too sure for Yahoo, but try a quick search on Google and I'm sure you'll find the apporiate IP addresses/ports to block.</P><P></P><P>On your other question on limiting www access for your internal users, what you can do is the following:</P><P></P><P>access-list inside permit tcp host <INSIDE_HOST_IP_ADDRESS> any eq www</INSIDE_HOST_IP_ADDRESS></P><P>...</P><P>...</P><P>access-list inside permit tcp host <INSIDE_HOST_IP_ADDRESS> any eq www</INSIDE_HOST_IP_ADDRESS></P><P>access-list inside deny tcp any any eq www</P><P>access-list inside permit ip any any</P><P>access-group inside in interface inside</P><P></P><P>The above will control which internal user has access to the internet, this is controlled by the inside_host_ip_address, ofcourse you'll need to make sure those internal ip addresses are static and not dynamic (DHCP).</P><P></P><P>Save with write mem and also, issue clear xlate.</P><P></P><P>Hope this helps and if it does please rate post.</P><P></P><P>Regards,</P><P></P><P>Jay</P></BODY></HTML> Wed, 13 Apr 2005 11:44:02 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338064#M549293 jmia 2005-04-13T11:44:02Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338065#M549294 <HTML><HEAD></HEAD><BODY><P>To block Internet access to a few internal hosts is easy.</P><P></P><P>example:</P><P># Block access to 192.168.1.10 and 11</P><P>access-list outbound deny tcp 192.168.1.10 255.255.255.0 any eq http</P><P>access-list outbound deny tcp 192.168.1.11 255.255.255.0 any eq http</P><P># Block MSN</P><P>access-list outbound deny tcp any any eq 1863</P><P>access-list outbound deny ip any 64.4.13.0 255.255.255.0</P><P># Block Yahoo</P><P>access-list outbound deny tcp any any eq 5050</P><P>access-list outbound deny tcp any any eq 5100</P><P>access-list outbound deny tcp any any eq 5001</P><P>access-list outbound deny tcp any any eq 5050</P><P># Permit all the rest</P><P>access-list outbound permit ip any any</P><P></P><P>access-group outbound in interface inside</P><P></P><P></P><P>Yahoo! Messenger Ports are:</P><P>- 5050 (outbound TCP)</P><P>- 5101 (inbound TCP)</P><P>- 5100 for webcam (TCP)</P><P>- 5001 for voice (TCP)</P><P>- For voice: cs1.yahoo.com, cs2.yahoo.com, and cs3.yahoo.com</P><P>- Yahoo will search ports 5050, 80, 20, 21, 25, 37 and 119 if 5050 is blocked </P><P></P><P>To block Yahoo and MSN messanger is quit complicate with PIX OS 6.3.x . They uses all kind of ports as http and https and even if you block some of them the will dynmicly find another port to connect to the server.</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 13 Apr 2005 11:46:28 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338065#M549294 Patrick Iseli 2005-04-13T11:46:28Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338066#M549295 <HTML><HEAD></HEAD><BODY><P>Hi Patric</P><P></P><P>I`d like to block also this ports on my SOHO97 router.Can I do that. Does this router support it..</P><P>Can you help me with any sugestion</P><P></P><P>Thank You in Advance </P><P></P><P>Gjergji</P></BODY></HTML> Thu, 14 Apr 2005 08:35:40 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338066#M549295 gjergji_abcom 2005-04-14T08:35:40Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338067#M549296 <HTML><HEAD></HEAD><BODY><P>This should be possible, I have seen that the SOHO97 Router supports standard in extended ACLs.</P><P></P><P>The only thing that you have to change is to replace the access-list name by a number, lets say 101 and then add the access-list to the right interface.</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Thu, 14 Apr 2005 10:26:20 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338067#M549296 Patrick Iseli 2005-04-14T10:26:20Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338068#M549297 <HTML><HEAD></HEAD><BODY><P>Partic,</P><P></P><P>I blocked all the ports that you sugested but yahoo and msn still connects maybe they try another port and connects through that port..</P><P></P><P>Gjergji</P></BODY></HTML> Fri, 15 Apr 2005 07:24:44 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338068#M549297 gjergji_abcom 2005-04-15T07:24:44Z https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338069#M549298 <HTML><HEAD></HEAD><BODY><P>MSN uses HTTP nd HTTPS to tunnel their traffic. This protocols cannot be inspected at the application layer with an Access-list of a Router or PIX OS 6.3.x and lower.</P><P></P><P>With PIX OS 7.0 this has changedand it is now possible to inspect the HTTP Protocol and block that kind of traffic.</P><P></P><P>Sorry but I would need a packet sniffer to analyse the traffic and to find a new way to block that.</P><P>I do not have time right now for that but will do it later, in a couple of days....???</P><P></P><P>Does anybody still has a working way to block that traffic?</P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Fri, 15 Apr 2005 14:51:13 GMT https://community.cisco.com/t5/network-security/cisco-pix-501/m-p/338069#M549298 Patrick Iseli 2005-04-15T14:51:13Z