Re: ASA-5510 - how to block p2p & IM

battanc · ‎04-13-2011

ASA 5510, version 8.4.1 with ASDM 6.4.1

How can I prevent the user to share files with p2 programs (torrent, eMule, etc) and to chat via Instant Messaging, Facebook, Twitter, etc. ?

I find a lot of suggestion, but allways related to 8.3 or older

Thanks

Claudio

csaxena · ‎04-13-2011

Hello Claudia,

On ASA 8.4.1 you can use all the suggestion availble for 8.3 & pre-8.3 codes. But the newer clients for yahoo, hotmail, etc and skype can't be blocked using ASA alone. All the new clients & p2p clients use dynamic ports or not know ports thus can't be blocked on ASA.

Again facebook and twitter are available over https and thus can't block the same using http inspection & url filtering.

Hope this helps.

Regards,

Chirag

battanc · ‎05-24-2011

Some news?

I find some suggestion:

http-map inbound_http
 content-length min 100 max 2000 action reset log
 content-type-verification match-req-rsp action reset log
 max-header-length request 100 action reset log
 max-uri-length 100 action reset log
 port-misuse p2p action drop
 port-misuse im action drop
 port-misuse default action allow

but it works only for 7.x (http-map is "deprecated")

Is there a way to convert the commands into policy-map?

Thank's a lot

Claudio

brquinn · ‎05-26-2011

Claudio,

Follow this document for configuration in v7.2 and later. This configuration should work in 8.4.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

Thanks,

Brendan

battanc · ‎05-26-2011

I already know this document, but - as I wrote 2 posts before - it don't work with 8.4 (http-map is "deprecated")

Claudio

brquinn · ‎05-27-2011

The "PIX/ASA 7.2 and Later Configuration" portion of the document does not use the http-map. :-)

Thanks,

Brendan

battanc · ‎05-27-2011

Thank's

I have just read the upper part of the document ...