cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


641
Views
0
Helpful
4
Replies
Beginner

Cisco ASA 5510 How to go about blocking ports

Hello Experts,

 

We're in a bit of a pickle here. We've been trying to get our ASA here to block the ports affiliated with BitTorrent using a Cisco ASA 5510. The biggest problem is that none of us have really been familiar with this type of hardware. We'd like it to block BitTorrent and other P2P based traffic and as well as email us whenever someone on the network tries to use BitTorrent with their IP and/or MAC Address. Any suggestions or commands to use in order utilize our ASA to it's full potential?

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Cisco ASA 5510 How to go about blocking ports

After several talks with Cisco in regards to go about blocking these custom ports. The most effective solution is this:

 

regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"
object-group service BitTorrent-Tracker tcp
description TCP Ports used by Bit Torrent for tracker communication
port-object eq 2710
port-object eq 6969

object-group service Blocked-UDP-Ports udp
port-object range 10001 65535
port-object range 1024 9999

access-list inside-out extended deny tcp any any object-group BitTorrent-Tracker log warnings
access-list inside-out extended deny udp any any object-group Blocked-UDP-Ports log warnings

access-list inside-out extended permit tcp any any
access-list inside-out extended permit udp any any
access-list inside-out extended permit icmp any any echo

access-group inside-out in interface inside


class-map http_traffic
match port tcp eq www

class-map type inspect http match-all bit-torrent-tracker
match request args regex bit-torrent-tracker
match request method get

policy-map type inspect http Drop-P2P
protocol-violation action drop-connection log
class bit-torrent-tracker
drop-connection log

policy-map global_policy
class http_traffic
inspect http Drop-P2P

service-policy global_policy global

 

 

 

policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class P2P
inspect http P2P_HTTP

 

This prevents bittorrent from connecting and also logs the issue.

4 REPLIES 4
VIP Advisor

Re: Cisco ASA 5510 How to go about blocking ports

Hi @Kelvin C

 Firewall is not the right place to perform this task believe you or not. First those service use a random and very large number of IP blocks which makes it almost impossible to block, second, by blocking  a service using port/protocol  you may block the traffic for legitimate application.

 Usually you should this on Proxy. But, it is possible to perform it on ASA. You can look for Regular Expression for example. 

 But use this with precaution. This can drag too much CPU.

 

-If I helped you somehow, please, rate it as useful.-

 

Beginner

Re: Cisco ASA 5510 How to go about blocking ports

The ASA is on our DMZ. Our internal network won't be affected by port blockage at all. Should of mentioned that when I first started the post. It'll at most see about 50 users what with everyone's phones and apparently the laptop downloading from BitTorrent.

VIP Advisor

Re: Cisco ASA 5510 How to go about blocking ports

You can start by looking at ASDM logs and see the IP address they are connecting to.

Then, you can create a simple rule denying that traffic. As I said, it is possible but can be very demanding. If the IP change, you need to block again.

 Or you can take a look in regular expression and this can easier then blocking  by IP address.

 

-If I helped you somehow, please, rate it as useful.-

Beginner

Re: Cisco ASA 5510 How to go about blocking ports

After several talks with Cisco in regards to go about blocking these custom ports. The most effective solution is this:

 

regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"
object-group service BitTorrent-Tracker tcp
description TCP Ports used by Bit Torrent for tracker communication
port-object eq 2710
port-object eq 6969

object-group service Blocked-UDP-Ports udp
port-object range 10001 65535
port-object range 1024 9999

access-list inside-out extended deny tcp any any object-group BitTorrent-Tracker log warnings
access-list inside-out extended deny udp any any object-group Blocked-UDP-Ports log warnings

access-list inside-out extended permit tcp any any
access-list inside-out extended permit udp any any
access-list inside-out extended permit icmp any any echo

access-group inside-out in interface inside


class-map http_traffic
match port tcp eq www

class-map type inspect http match-all bit-torrent-tracker
match request args regex bit-torrent-tracker
match request method get

policy-map type inspect http Drop-P2P
protocol-violation action drop-connection log
class bit-torrent-tracker
drop-connection log

policy-map global_policy
class http_traffic
inspect http Drop-P2P

service-policy global_policy global

 

 

 

policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class P2P
inspect http P2P_HTTP

 

This prevents bittorrent from connecting and also logs the issue.