Solved: blocking IM on asa

cfajardo1_2 · ‎12-06-2006

is it possible to block messengers susch as Yahoo messenger etc. on an asa 5500?

Anyone knows how?

Thanks.

myer.ramey · ‎12-07-2006

I have found that with (at least PIX 7.x), Yahoo is not capable of being blocked. I had this in our lab and it successfully blocked MSN Messenger and AIM. However, I could continue to use Yahoo Messenger. When I opened a TAC case, their only recommendation at the time was to put a list of about 30 IP addresses they gave me for Yahoo, and deny to those addresses.

That's an impossible way to manage things. We came up with our solution...create a DNS zone for msg.yahoo.com and have it point to nowhere on your internal DNS servers. Worked pretty good.

View solution in original post

andrew.burns · ‎12-06-2006

Hi,

Look up the command "port-misuse" in the configuration guide for an example on how to do this.

Note that at present it only blocks the top 3 IM apps (Yahoo, AIM and MSN IM)

HTH

Andrew.

myer.ramey · ‎12-07-2006

I have found that with (at least PIX 7.x), Yahoo is not capable of being blocked. I had this in our lab and it successfully blocked MSN Messenger and AIM. However, I could continue to use Yahoo Messenger. When I opened a TAC case, their only recommendation at the time was to put a list of about 30 IP addresses they gave me for Yahoo, and deny to those addresses.

That's an impossible way to manage things. We came up with our solution...create a DNS zone for msg.yahoo.com and have it point to nowhere on your internal DNS servers. Worked pretty good.

cfajardo1_2 · ‎12-21-2006

thanks a lot. this works for me. but what about msn messengers?

john.stephens · ‎12-07-2006

I was testing the same thing, I got it working on the PIX 7.1. I thought the asa code was pretty much the same for this, but I'm not sure.

I tested Yahoo 8.0 with and without the PIX commands applied. When the following is applied, it prevents me from logging in. If I'm already logged in it doesn't kill my session. (this likely isn't the cleanest example, I'm still testing other functions, but it does work.)

class-map type inspect im match-all John_IP_Map

match ip-address 255.255.255.255

class-map inspection_default

match default-inspection-traffic

class-map inside-IM-class

match any

policy-map type inspect im IM_Policy_Map

description Lab Test

parameters

class John_IP_Map

drop-connection log

policy-map inside-IM-policy

description Lab test

class inside-IM-class

inspect im IM_Policy_Map

policy-map type inspect im Yahoo_Messenger

description Test

parameters

!

service-policy inside-IM-policy interface inside

m-haddad · ‎12-08-2006

The below configuration has been tested. It even blocks access to IM using the web.

Please rate if this solves your issue,

Thanks,

class-map inspection_default

match default-inspection-traffic

class-map MyClass

match any

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect http WebMSN

parameters

protocol-violation action drop-connection

class _default_msn-messenger

drop-connection log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map type inspect im BlockMSN

description To Block MSN

parameters

match protocol msn-im

drop-connection log

policy-map type inspect im BlockYahoo

parameters

match protocol yahoo-im

drop-connection log

policy-map MyInsidePolicy

class MyClass

inspect im BlockYahoo

!

service-policy global_policy global

service-policy MyInsidePolicy interface inside

NotMeHere · ‎07-18-2007

This doesn't seem to work. For me it worked the first two times and then I was able to send files anyway.