blocking AOL instant messenger with Cisco Pix 7.x - Page 3

daviddtran · ‎01-27-2007

hi all,

I need to do the following:

nat (inside) 1 0 0

global (outside) 1 interface

access-list External permit icmp any any echo-reply

access-list External deny ip any any log

access-list Internal permit tcp any any eq 23

access-list Internal permit tcp any any eq 80

access-list Internal permit udp any any eq 53

access-group External in interface outside

access-group Internal in interface inside

Problem is that user on the inside use AOL instant messgenging via port 23 and

I would like to block them from using

AOL IM on port 23 but I also would like

to allow legitimate telnet to go through.

I do NOT want to block AOL destination IM

Server in the ACL. I want to be the Pix to be smart enough to be able to accomplish via application inspection.

I can do this rather easily with Checkpoint SmartDefense which is builtin

with Checkpoint firewall. I am migrating

over to Cisco Pix and I would like to do

the same thing.

Any ideas on how to do this? Thanks.

David

daviddtran · ‎02-23-2007

Is it also a bug in version 7.2(2)?

David

cisconoobie · ‎02-23-2007

SR 605442403

Please let me know.

My problem was that after applying this, i could not get to windows update which opens activex to scan your pc.

zulqurnain · ‎02-03-2007

hello,

like you said that you want to block AOL IM using port 23 at the same time you want to allow legitimate telnet to go through. idea is if you know this legitimate IP's only who should be allowed then you can just edit your ACL

e.g.

access-list internal permit tcp ip host >legitimate IP< any eq 23

this will only allow them to access telnet through port 23 and all other users will be denied access using port 23.

HTH

please rate if helped

regrads