07-18-2005 05:32 AM - edited 02-21-2020 12:16 AM
Hi all,
I just got an ASA 5520 VPN Plus and I'm having trouble blocking p2p and im programs.
The problem is when I block p2p and im programs, no other web sites work. Here is my config below.
ASA Version 7.0(1)
names
!
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif Internet
security-level 0
ip address xxxxxxxxx
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
enable password xxxx
passwd xxxx
hostname xxxxxxx
domain-name xxxxxxx
ftp mode passive
access-list 100 extended permit ip any any
!
http-map test-http
port-misuse p2p action drop
port-misuse tunnelling action allow
port-misuse im action drop
port-misuse default action allow
!
pager lines 24
logging buffered debugging
logging asdm informational
mtu Inside 1500
mtu Internet 1500
mtu management 1500
no failover
monitor-interface Inside
monitor-interface Internet
monitor-interface management
asdm image disk0:/asdm-501.bin
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
nat (Inside) 1 192.168.10.0 255.255.255.0
route Internet xxxxxxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.10.2 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map test
match access-list 100
!
!
policy-map policy
class test
inspect http test-http
!
service-policy policy global
Thanks
Stevan
07-18-2005 03:38 PM
As soon as you define a http-map it tells the PIX to start strict HTTP inspection, regardless of the other specific parameters you set within the http-map. I think what might be going on is the fact your class-map is directing ALL IP traffic through this http-map via access-list 100, and because that traffic is not actually HTTP it is dropped by the strict inspection rules.
I would suggest changing your class map to only send HTTP packets through the http-map, that should allow all other packets to flow through correctly (and it will speed them up greatly also). The following should resolve your problem:
class-map test
match port tcp eq 80
This will ensure that only HTTP packets are sent through the HTTP inspection engine, which makes sense anyway. Another way to do it, especially if you want to define a few different port numbers as HTTP traffic (8080, 8800, etc), is to change your ACL 100 to define only TCP traffic on those ports, rather than "ip any any" as you currently have.
07-19-2005 04:42 AM
Hi, and thanks for the feedback.
I tried doing what you wrote. The problem is that im and p2p applications are still being let through. I need to block im and p2p programs.
Thanks for your help
Stevan
07-22-2005 01:14 AM
Hi,
For version 7.0 not all p2p & im gets detected.
p2p: only detects Kazaa & Gnutella.
im: only detects Yahoo messenger
-
You could try turning it around like this:
http-map test-http
port-misuse tunnelling action allow
port-misuse default action drop log
Remember to only match port 80 traffic in your class-map.
I hope this helps.
-Thomas
12-14-2005 01:47 AM
It doesn't work - it's a bug (and still is!) - see CSCsb41742
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide