09-02-2010 05:38 AM - edited 03-11-2019 11:34 AM
Anyone know how to block LogMeIn and GoToMyPC? We are using an ASA 5520. We mainly want to prevent people coming into our network using those applications. Also, our helpdesk uses LogMeIn Rescue and would need to allow that for them.
09-02-2010 07:38 AM
Hi Danielle,
Using an access-list would be a good way to prevent anyone from outside coming into your network using GoToMyPC and LogMeIn. An access-list can be applied on the outside interface which is facing the internet. GoToMyPC uses port number 8900 and LogMeIn uses 12975 and 32976. Also it will attempt to use port 443 if it fails to connect on other two ports.
access-list block_traffic deny tcp any
access-list block_traffic deny tcp any
access-list block_traffic deny tcp any
access-list block_traffic deny tcp any
access-list block_traffic permit ip any any
Since we are blocking traffic on 443 in case you have https server on the inside it will cause problems. This access-list should be applied on the outside interface.
09-02-2010 07:41 AM
Thank you for the advice! So if applied on the outside interface only - the help des
k will still be able to use LogMeIn Rescue from inside?
09-02-2010 07:53 AM
Ya it should work. I am assuming that logmein does not use the same port to connect back to help desk pc.
09-02-2010 07:53 AM
Thank you! Will give it a try!
09-02-2010 08:19 AM
HI Daniell,
The ASA has built in REGEXPS for gotomypc and there was way to do this also for log me.
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
!
asa5520# sh run all reg
asa5520# sh run all regex
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_GoToMyPC-tunnel "machinekey"
If you see these kind of applications has grown to hundreds (or used to grow) quite fast, faster then we're able to adjust regexp on ASA - since they are supposed to be static by nature. Don't expect a one command wonder.
I'm not intemately familiar with those APPs... since gotomypc work on HTTP potential CSC would be a nice way to prohibit it.
Note that IPS seems to be familiar with Hamachi:
http://www.cisco.com/web/software/282773979/34047/Readme-IPS-sig-S387.txt
15454.0 LogMeIn Hamachi Activity
Blocking Log Me In & Go To MY PC LogMeIn uses HTTPS which is not covered in the HTTP inspection.
So, the regex method may not be useful for that.
You could try blocking couple of LogMeIn ports (TCP 12975 and 32976
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
to see if that helps.
LogMeIn application connects to an intermediate server (bibi.hamachi.cc) to establish communication. You can block that IP from communicating to your network. Hope this helps.
i just added two routes into my core router of
ip route 66.151.158.177 255.255.255.255 Null0
ip route 216.115.217.45 255.255.255.255 Null0
This kills the constant polls that gotomypc uses in order to come back through your firewall.
If you want to find out who is using it you can build an access list around those two.
Access-list 101 deny ip any host 66.151.158.177 log
access-list 101 deny ip any host 216.115.217.45 log
acess-list 101 permit ip any any
Check your log files and it will tell you the internal IP addresses that tried to access those sites.
You can also check Cisco IPS S387 SIGNATURE UPDATE DETAILS NEW SIGNATURES
SIGID SIGNAME ENGINE SEVERITY ENABLED
15454.0 LogMeIn Hamachi Activity atomic-ip informational false
15455.0 LogMeIn Product Activity atomic-ip low false
you could block access to poll.gotomypc.com to keep GoToMyPC from working.
You'll need to block port 8200, GoToMyPC generates only outgoing HTTP/TCP to ports 80,443 and/or port 8200 and you can also stop 'poll.gotomypc.com' - sorry don't have the IP address but try doing nslookup for 'poll.gotomypc.com' to get the relevant IP address.
Read the following PDF document on this matter as well.
https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Personal_Security_White_Paper.pdf
---------
GoToMyPC server [service installed] always sends an outgoing HTTP "ping" to the GoToMyPC broker (poll.gotomypc.com) at regular intervals checking to see if any connect requests have been received.
So to prevent the GoToMyPC broker from accessing our company’s computers is by blocking access to the host GoToMyPC Broker.
This will prevent anyone from starting a connection to access any computer inside our firewall [The protected LAN].
Name: poll.gotomypc.com
Address: 66.151.158.177
Using a simple outbound ACL will do the job, if you dont need any access to that site, you can just deny ip for that IP
access-list 100 deny ip 192.168.0.0 255.255.255.0 host 66.151.158.177
access-list 100 permit ip any any
this will deny both tcp and udp connections to that ip.
If you have a proxy server, you can use URL based filtering in that, if you need to block many more such websites.
Also, GoToMyPC will help us to block our Internet-visible IPs [Real IPs].
They already have a policy for companies who do not currently have GoToMyPC accounts but wish to block access using their Authorization Management Service, simply we have to send a request to the following email address: GoToSales@expertcity.com.
---------------
Another easiest way to block any of these service without content filtering is by URL since you need to login to the www.logmein.com, www.gotomypc.com, etc...
Setup a local DNS zone on your DNS server
127.0.0.0 logmein.com gotomypc.com
If they can't resolve to logmmein, gotomypc they can't connect.
------------------------
Another way of doing this is to block installation of the executable such as logmien as a group policy or through your Anti-Virus software.
Port 2002 needs to be open for TCP inbound and outbound traffic.
---------------------------
Hope this helps and let me know how you get on.
Sachin Garg
05-13-2011 12:05 PM
Hi Danielle,
A little late here and maybe my approack is a sledge hammer but it works for me ATM with our ASA and our PIX. Since the Logmein traffic originates from the inside by the client to one of the MANY secure.logmen.com servers you will need to block outbound TCP 80 and 443 traffic to those specific IPs related to secure.logmein.com. The method I chose was create the group of logmein IPs (it changes as they add more) and then i applied the rules to the inside interface.
ASA Example:
object-group network LOGMEIN
description Hosts allowing use of logmein remote session software to local IPs
network-object 64.94.18.0 255.255.255.0
network-object 69.25.20.0 255.255.255.0
network-object 69.25.21.0 255.255.255.0
network-object 74.201.74.0 255.255.255.0
network-object 74.201.75.0 255.255.255.0
network-object 77.242.192.0 255.255.255.0
network-object 77.242.193.0 255.255.255.0
network-object 216.52.233.0 255.255.255.0
network-object 212.118.234.0 255.255.255.0
network-object 64.74.103.0 255.255.255.0
Example of outbound rules used:
access-list INSIDE_OUT extended deny tcp any object-group LOGMEIN
although you could block just TCP 80 and 443
access-list INSIDE_OUT extended deny tcp any object-group LOGMEIN eq http
access-list INSIDE_OUT extended deny tcp any object-group LOGMEIN eq https
For good measure any inbound traffic:
access-list OUTSIDE_IN extended deny tcp object-group LOGMEIN any
On the PIX side the same action was taken:
object-group network LOGMEIN
description Hosts allowing use of logmein remote session software to local IPs
network-object 64.94.18.0 255.255.255.0
network-object 69.25.20.0 255.255.255.0
network-object 69.25.21.0 255.255.255.0
network-object 74.201.74.0 255.255.255.0
network-object 74.201.75.0 255.255.255.0
network-object 77.242.192.0 255.255.255.0
network-object 77.242.193.0 255.255.255.0
network-object 216.52.233.0 255.255.255.0
network-object 212.118.234.0 255.255.255.0
network-object 64.74.103.0 255.255.255.0
access-list outside_access_in deny tcp object-group LOGMEIN any
access-list inside_access_out deny tcp any object-group LOGMEIN
Blocking all TCP may be heavy handed but it works against a moving target.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide