Showing results for 
Search instead for 
Did you mean: 

Deny bittorent on Cisco PIX/ASA


How can I deny all bittorent traffic on a Cisco PIX/ASA


David Stanford
Cisco Employee
Cisco Employee

I believe the ports used by this application are from 6881 to 6999. If you want to block these ports please take a look at

the commands below

access-list outbound_access deny tcp any any range 6881 6999

access-list outbound_access permit ip any any

access-group outbound_access in interface inside

You can also permit any ports you would like to include

for PIX 7.X you can look at the following

PIX 7.01 does have a command to block p2p traffic. Please refer to the PIX 7.0 command reference for the "port-misuse" feature:

First we start out with our examples so you can see yourself move around

within the pix as

the prompts change to get used to the new sub-menus that have been created

in the pix.



Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset


pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

* pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy

pix(config)# service-policy inbound_policy interface outside

*Attach the policy-map for http inspection to an interface (an existing

policy map could

also be used).

This ends up in the config as:


class-map http-port

match port tcp eq 80

class-map http-port8080

match port tcp eq 8080


http-map inbound_http

content-length min 100 max 2000 action reset log

content-type-verification match-req-rsp action reset log

max-header-length request 100 action reset log

max-uri-length 100 action reset log

port-misuse p2p action drop

port-misuse default action allow


policy-map inbound_policy

class http-port

inspect http inbound_http

class http-port8080

inspect http inbound_http


service-policy inbound_policy interface outside


If you notice, you can add more ports via class-maps which tie to the

inbound_policy we

created to tie to the interface. I haven't tested this yet but you can set


port-misuse default action to allow which we did above so you should be able

to inspect

other ports that are being used without blocking anything that you're

currently doing as

long as the P2P headers aren't found in the packets.

Essentially this will cause the pix to block the P2P applications while

still allowing

normal traffic over port 80/8080.

i have an asa running 8.2

is this the right way of doing it or using an aip-ssm module? or both?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: