Hi Bro
Unfortunately, the PIX/ASA is not able to block skype traffic. Skype has the capability to negotiate dynamic ports and to use encrypted traffic. With encrypted traffic, it is virtually impossible to detect it as there are no patterns to look for.
You could eventually use a Cisco Intrusion Prevention System (IPS). It has some signatures that are able to detect a Windows Skype Client that connects to the Skype server to synchronize its version. This is usually done when the client is initiated the connection. When the sensor picks up the initial Skype connection, you can be able to find the person who use the service, and block all connections initiated from their IP address.
Frankly, I don’t know any company that encourages their staffs to install skype application in their laptop, for network security reasons. I know I wouldn’t. However, if you still insist that staff should be able to chat with peers/friends on the outside of your network, you can;
Option A
--------------
To get the staff to subscribe to meebo instead. Meebo is an Ajax site that lets you chat online with your friends that use Yahoo Messenger, MSN Messenger, AIM, ICQ and Jabber (including Google Talk). You can log into all the IM networks simultaneously from your browser. If you don't want to create a Meebo account, you can get into one IM network at a time.
Option B
--------------
To incorporate Cisco's Cut-through Proxy Authentication feature in your ASA FW (no need extra license but you'll need a radius server e.g. Cisco ACS) assuming you only want to allow certain staffs to have the privilege of using Skype, but not everyone in the office. https://supportforums.cisco.com/community/netpro/security/aaa/blog/2011/01/21/limiting-internet-access-based-on-user-profile-using-asa-and-radius
P/S: If you think this comment is useful, please do rate them nicely.
Warm regards,
Ramraj Sivagnanam Sivajanam
