https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096042#M878430 <P>Hi experts,</P><P></P><P>My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:</P><P></P><P>class-map match-all msn</P><P> match protocol imap</P><P> match access-group name Permited_MSN</P><P></P><P>ip access-list extended Permited_MSN</P><P> deny ip host 192.168.1.x</P><P> permit ip any any</P><P>!</P><P>policy-map msnmap</P><P> class msn</P><P> drop</P><P></P><P>interface BVI1</P><P> ip address 192.168.1.1 255.255.255.0</P><P> ip pim dense-mode</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> service-policy input msnmap</P><P></P><P>Doing a show policy-map, we never see matched packets being dropped. </P><P></P><P>Cisco1811W#show policy-map interface bvi 1</P><P> BVI1</P><P> Service-policy input: msnmap</P><P></P><P> Class-map: msn (match-all)</P><P> 0 packets, 0 bytes</P><P> 5 minute offered rate 0 bps, drop rate 0 bps</P><P> Match: protocol imap</P><P> Match: access-group name Permited_MSN</P><P> drop</P><P> Class-map: class-default (match-any)</P><P> 1722583 packets, 929916071 bytes</P><P> 5 minute offered rate 612000 bps, drop rate 0 bps</P><P> Match: any</P><P></P><P>Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy? </P><P></P><P>Any comment on this is highly appreciated. </P><P></P> Mon, 11 Mar 2019 14:29:40 GMT jopontes 2019-03-11T14:29:40Z https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096042#M878430 <P>Hi experts,</P><P></P><P>My customer wants to allow messaging just for certain users IP and block it for anybody else. His configuration is something like the following:</P><P></P><P>class-map match-all msn</P><P> match protocol imap</P><P> match access-group name Permited_MSN</P><P></P><P>ip access-list extended Permited_MSN</P><P> deny ip host 192.168.1.x</P><P> permit ip any any</P><P>!</P><P>policy-map msnmap</P><P> class msn</P><P> drop</P><P></P><P>interface BVI1</P><P> ip address 192.168.1.1 255.255.255.0</P><P> ip pim dense-mode</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> service-policy input msnmap</P><P></P><P>Doing a show policy-map, we never see matched packets being dropped. </P><P></P><P>Cisco1811W#show policy-map interface bvi 1</P><P> BVI1</P><P> Service-policy input: msnmap</P><P></P><P> Class-map: msn (match-all)</P><P> 0 packets, 0 bytes</P><P> 5 minute offered rate 0 bps, drop rate 0 bps</P><P> Match: protocol imap</P><P> Match: access-group name Permited_MSN</P><P> drop</P><P> Class-map: class-default (match-any)</P><P> 1722583 packets, 929916071 bytes</P><P> 5 minute offered rate 612000 bps, drop rate 0 bps</P><P> Match: any</P><P></P><P>Should this configuration work? Can the router block MSN like traffic with a layer 4 policy or it is necessary to use zone-based with application policy? </P><P></P><P>Any comment on this is highly appreciated. </P><P></P> Mon, 11 Mar 2019 14:29:40 GMT https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096042#M878430 jopontes 2019-03-11T14:29:40Z https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096043#M878431 <HTML><HEAD></HEAD><BODY><P>The class map "MSN" will not work, The config is trying to match imap AND the access-list. IMAP has nothing to do with MSN.</P><P></P><P>Confirmation it is not working is in the policy-map lines:</P><P></P><P>"0 packets, 0 bytes"</P><P></P><P>To be honest using QoS (which is the policy map) is not the way to block this type of traffic. MSN has specific ports - depending on the version. The latest versions of MSN or Live Messenger will use HTTP.</P><P></P><P>HTH&gt;</P></BODY></HTML> Fri, 26 Dec 2008 17:05:01 GMT https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096043#M878431 andrew.prince 2008-12-26T17:05:01Z https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096044#M878432 <HTML><HEAD></HEAD><BODY><P>Thank you Andrew!</P><P></P><P>I figured that this configuration had nothing to do with what the customer wants. </P><P></P><P>I am now configuring using the zone-based policies. </P><P></P><P>Configuring an Instant Messenger (IM) Policy </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1566338" target="_blank">http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1566338</A></P><P></P><P>However, this seems to have only match-any clause, which does not give the option to tie an acl to take an action only on certain IP traffic.</P><P></P><P>Is there any other way to accomplish it? </P><P></P><P></P></BODY></HTML> Fri, 26 Dec 2008 17:47:11 GMT https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096044#M878432 jopontes 2008-12-26T17:47:11Z https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096045#M878433 <HTML><HEAD></HEAD><BODY><P>Mmmmm reading the link - I would kinda agree on that, however I have not had much experiance with the zone based firewall config. I do not have access to a router that supports this feature so cannot really see if multiple matches are available.</P><P></P><P>Sorry - perhaps another netpro has.</P><P></P><P>HTH&gt;</P></BODY></HTML> Fri, 26 Dec 2008 18:17:15 GMT https://community.cisco.com/t5/network-security/can-a-layer-4-policy-block-im-traffic-in-ios-firewall/m-p/1096045#M878433 andrew.prince 2008-12-26T18:17:15Z