10-13-2012 11:19 PM - edited 03-11-2019 05:08 PM
Hi
am trying the below configuration found on the internet to stop teamviewer on cisco asa , but its not working , pls adjust the config to make a switable for work
regex TV-RGX “\.teamviewer\.com”
regex DG-RGX “\.dyngate\.com”
class-map inspection_default
match default-inspection-traffic
class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
inspect ftp
inspect icmp
policy-map type inspect dns TV-PLC
parameters
message-length maximum 512
match domain-name regex class TV-CLS
drop
!
service-policy global_policy global
I Received the Below error when i tried to the add the inspection
asa1(config-pmap-c)# inspect dns TV-PLC
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration
asa1(config-pmap-c)#
10-14-2012 12:42 AM
Hello Ibrahim,
try the following
regex TV-RGX "\.teamviewer\.com"
regex DG-RGX "\.dyngate\.com"
class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX
class-map type inspect http match-any block-TV-DG
match request uri regex class TV-CLS
policy-map type inspect http block-TV-DG
parameters
class block-TV-DG
drop-connection log
policy-map global_policy
class inspection_default
inspect http block-TV-DG
regards
Harish
10-14-2012 01:18 AM
Hi Harish
I Tried the below config as y suggested , but users still have TV access,pls examine it and help
class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX
class-map type inspect http match-any block-TV-DG
match request uri regex class TV-CLS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http block-TV-DG
parameters
class block-TV-DG
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect sip
inspect ftp
inspect http block-TV-DG
10-14-2012 01:42 AM
Hello Ibrahim,
The above configuration only blocks the URL teamviewer which is going over port 80 . It doesnt Block your application. In order to block you application you need to block the dns traffic towards teamviwer but still a client with hardcoded server IP can access the application..
For DNS blocking you can use the previous config you have used , in order to avoid the error which you were getting earlier, you need to remove the default dns inspection and add you customozed inspection as follows
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
inspect dns TV-PLC
Harish
10-14-2012 02:37 AM
Hi Harish
Also it didnt work, pls ur advise
10-14-2012 04:25 AM
Hello Ibrahim,
Please change your regex as follows
regex TV-RGX "\teamviewer\.com"
regex DG-RGX "\dyngate\.com"
dot (.) before the name is not required in your case..
10-14-2012 06:37 AM
Hi Harish
it doesn't work , PLs post me the working config
Thanks
Ibrahim
10-14-2012 06:51 AM
Please find the attached working configuration
regex TV-RGX “\teamviewer\.com”
regex DG-RGX “\dyngate\.com”
class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX
policy-map type inspect dns TV-PLC
parameters
match domain-name regex class TV-CLS
drop
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
inspect dns TV-PLC
clear local-host all
If you are still facing issue, the client may not be using the server mentioned or not proper name mentioned
regards
Harish.
10-15-2012 01:22 AM
Hi Haish
what do y mean by below?
If you are still facing issue, the client may not be using the server mentioned or not proper name mentioned
thanks
10-15-2012 02:06 AM
Hello Ibrahim,
What I am trying to say, is the filtering what we have in place in fine as long as your application uses the name teamviewer.com for connecting.
Can you ping to teamviewer.com from one of your PC and see whether you are able to resolve the IP
ping teamviewer.com
Also please do share the latest configuration as well
regards
Harish.
10-15-2012 04:23 AM
10-15-2012 04:32 AM
Hello Ibrahim,
Please share the latest config
regards
Harish
10-15-2012 05:15 AM
Hello Ibrahim,
Please change the regex as follows
regex TV-RGX ".*\.teamviewer\.com"
regex DG-RGX “.*\.dyngate\.com”
If that doesnt help, the application might be using some other domain names. You can run a wire shark on the PC where you have teamviewer installed and try to find out the domain name. then block according to that. I am sure they will be using different domain names at different timings.. the Above regex block whatever domain starts xxx.teamviewer.com.. like for example in my pc it was ' master3.teamviewer.com'
regards
Harish.
10-15-2012 06:07 AM
Hi Harish
in the below lines do i need to put the " " and “ ”
regex TV-RGX ".*\.teamviewer\.com"
regex DG-RGX “.*\.dyngate\.com”
Thanks
10-15-2012 06:11 AM
Not required as you are matching both these regex in the class-map TV-CLS
also, once you changed this, you should not be able to ping as follows from any PC
ping www.teamviewer.com
regards
Harish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide