Re: ASA blocking IM using http?

PaulWelc · ‎03-23-2006

I'm confused. The cisco ASA book I have states to block Instant Messaging use a http-map. Most IM aren't using http or port 80 correct? I tried the commands http-map Filter_http

port-misuse im action drop

IM still works? Any ideas? I may just use an ACL with IP addresses.

Michael Tan · ‎03-23-2006

IMs like MSN and Yahoo messenger by default will try to use their configured port (1863 and 5050 respectively). If they can't connect using these ports, they will then try port 80.

So block these ports first then in addition leave the http-map that you have configured so it will block their attempt to encapsulate the message in http.

If it can still get through the pix, you can check the logs to see what port it uses.

Michael Tan · ‎03-23-2006

Another thing you need to add:

http-map Filter_http

port-misuse im action drop

port-misuse tunnelling action drop <<<

This will drop IM apps trying to tunnel to port 80 as explained earlier.

PaulWelc · ‎03-24-2006

Thanks michtan. We do use webex and gotomypc on occasion when vendors need to access a PC. We also have VPN tunnels. Will the last command "port-misuse tunnelling action drop" effect either?

Michael Tan · ‎03-24-2006

Then you better not use the "port-misuse tunnelling action drop" command since it will drop gotomypc sessions. Not sure about webex though.

You might want to check out this bug CSCsb41742.

" P2P/IM and tunneling traffic is only blocked with the 'strict-http action drop'.

If the option is set to 'strict-http action drop' both http and P2P/IM and tunneling traffic will be dropped.

This allows all traffic

http-map Match_Restricted_Programs

strict-http action allow log

port-misuse im action drop log

port-misuse p2p action drop log

port-misuse tunneling action drop log

This drops all traffic (p2p/http/im/tunnelling)

http-map Match_Restricted_Programs

strict-http action drop log

port-misuse im action drop log

port-misuse p2p action drop log

port-misuse tunneling action drop log"

gregm · ‎03-24-2006

I tried your example above but it didn't Block IM when just inspecting port 80. I had to put a range of ports from 500 - 3000 in order to block it. However this is only working for MS Messenger application, my users are still able to login to the web based version of IM to get around this... Is there any way of blocking the webbase version as well using http-map?

Thanks,

Greg

victorrodrigues · ‎03-24-2006

Hi Greg,

Unfortunately,there is no URL filtering in the PIX as it wasn't designed for that.The IMs blocking is a relatively new feature too.

I suggest you go in for some good URL filtering software to crack down on those HTTP-MSN users. I believe Websense is the best in the market and if I'm not mistaken , I believe Cisco has some tie up with those guys too.

So the answer to your question, No.

PaulWelc · ‎03-27-2006

I have websense, but it wasn't blocking IM. I spoke to their tech support and they stated I need to add a 2nd NIC to the websense server, then I need to span a port on my 6509 to run all traffic to the Websense box because by default it is only looking at port 80 traffic. I was hoping there was a simple EASY way to do this, LOL. (I have an ASA box).