03-23-2006 12:44 PM - edited 02-21-2020 12:47 AM
I'm confused. The cisco ASA book I have states to block Instant Messaging use a http-map. Most IM aren't using http or port 80 correct? I tried the commands http-map Filter_http
port-misuse im action drop
IM still works? Any ideas? I may just use an ACL with IP addresses.
03-23-2006 03:18 PM
IMs like MSN and Yahoo messenger by default will try to use their configured port (1863 and 5050 respectively). If they can't connect using these ports, they will then try port 80.
So block these ports first then in addition leave the http-map that you have configured so it will block their attempt to encapsulate the message in http.
If it can still get through the pix, you can check the logs to see what port it uses.
03-23-2006 06:41 PM
Another thing you need to add:
http-map Filter_http
port-misuse im action drop
port-misuse tunnelling action drop <<<
This will drop IM apps trying to tunnel to port 80 as explained earlier.
03-24-2006 07:51 AM
Thanks michtan. We do use webex and gotomypc on occasion when vendors need to access a PC. We also have VPN tunnels. Will the last command "port-misuse tunnelling action drop" effect either?
03-24-2006 10:22 AM
Then you better not use the "port-misuse tunnelling action drop" command since it will drop gotomypc sessions. Not sure about webex though.
You might want to check out this bug CSCsb41742.
" P2P/IM and tunneling traffic is only blocked with the 'strict-http action drop'.
If the option is set to 'strict-http action drop' both http and P2P/IM and tunneling traffic will be dropped.
This allows all traffic
http-map Match_Restricted_Programs
strict-http action allow log
port-misuse im action drop log
port-misuse p2p action drop log
port-misuse tunneling action drop log
This drops all traffic (p2p/http/im/tunnelling)
http-map Match_Restricted_Programs
strict-http action drop log
port-misuse im action drop log
port-misuse p2p action drop log
port-misuse tunneling action drop log"
03-24-2006 11:23 AM
I tried your example above but it didn't Block IM when just inspecting port 80. I had to put a range of ports from 500 - 3000 in order to block it. However this is only working for MS Messenger application, my users are still able to login to the web based version of IM to get around this... Is there any way of blocking the webbase version as well using http-map?
Thanks,
Greg
03-24-2006 09:38 PM
Hi Greg,
Unfortunately,there is no URL filtering in the PIX as it wasn't designed for that.The IMs blocking is a relatively new feature too.
I suggest you go in for some good URL filtering software to crack down on those HTTP-MSN users. I believe Websense is the best in the market and if I'm not mistaken , I believe Cisco has some tie up with those guys too.
So the answer to your question, No.
03-27-2006 07:39 AM
I have websense, but it wasn't blocking IM. I spoke to their tech support and they stated I need to add a 2nd NIC to the websense server, then I need to span a port on my 6509 to run all traffic to the Websense box because by default it is only looking at port 80 traffic. I was hoping there was a simple EASY way to do this, LOL. (I have an ASA box).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide