Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
1
Replies

Cannot keep P2P blocked with ZFW

Brian M
Level 1
Level 1

‎02-19-2010 12:38 PM - edited ‎03-11-2019 10:12 AM

I have configured a router with ZFW and from my testing I can confirm that almost everything is working the way it should except the P2P blocking. It doesn't seem to block anything in the P2P arena and I've tried Gnutella, Kazaa, and Bittorent and all of them are able to make a connection, search and download. I even have DPI enabled to make sure it can't use http but it still manages to get out.

Once in a while the router does log a message (below) but it's not consistent.

*Feb 19 20:26:15.689: %APPFW-6-P2P_PORT_HOP: gnutella using 9699 port -  tcp session 10.32.2.30:3976 70.121.190.197:9699 on zone-pair in-out class CM_INSPECT

Feb 19 20:26:48.641: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.32.2.30:3985 => 24.141.184.178:36486 (target:class)-(in-out:CM_P2P)

class-map type inspect match-any CM_INSPECT
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol tcp
match protocol udp


class-map type inspect match-all CM_HTTP
match protocol http

class-map type inspect http match-any CM_PORTMISUSE
match  request port-misuse p2p
match  request port-misuse tunneling
match  req-resp protocol-violation


class-map type inspect match-any CM_P2P
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
match protocol gnutella

policy-map type inspect http PM_HTTPDPI
class type inspect http CM_PORTMISUSE
  log
  reset


policy-map type inspect PM_INSPECT
class type inspect CM_P2P
  drop log
class type inspect CM_HTTP
  inspect
  service-policy http PM_HTTPDPI
class type inspect CM_INSPECT
  inspect
class class-default
  drop   
        
zone security outside
zone security inside

zone-pair security in-out source inside destination outside
service-policy type inspect PM_INSPECT

interface BVI1
ip address 10.32.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside

interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside
speed 100
full-duplex

Any help is appreciated!!

Labels:
0 Helpful
1 Reply 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card