Block on ASA 5100

jerrybu01 · ‎02-28-2013

Hi everyone,

I have a cisco asa 5510 version 8.3. My company has a internet policy company like that;

client use range IP 192.168.100.0/24

My boss wants to block a range IP from 192.168.100.20 to 192.168.100.200, but they can access skype, email and company website.

the rest of ip allow all.

i know how to block a website, but i don't know to config above. help me?

jocamare · ‎03-01-2013

The tricky part will be Skype, the rest is easy.

Skype uses dynamic ports and sometimes it encrypts the traffic, so there is no way [on the ASA] to match for this traffic and let it go through, not even deny it.

You can try an IPS solution since there are some signatures configured to detect that traffic, but i wouldn't recommended it as the ultimate solution.

Skype was designed to be sneaky and bypass firewalls and filters.

Besides, not all the traffic you want to block goes through the ASA, does it?

jerrybu01 · ‎03-02-2013

Yes,

with range IP 192.168.100.20/24 - 192.168.100.200/24--> i will block all traffic (not including email, a website compay..)

The rest of Ip address full traffic

jocamare · ‎03-02-2013

If we are going to block everything but mail and access to an specific website, you can use acls for that.

It was already define we can't block Skype.

jerrybu01 · ‎03-03-2013

thanks jocamare!