Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
3
Replies

How to Block Torrent traffic on ASA 5510 Details inside thanks

Lost & Found
Level 2
Level 2

‎03-07-2015 09:13 PM - edited ‎03-11-2019 10:36 PM

Hi,

Good day 

I would like to ask how to block torrent traffic on asa 5510?

I tried to this config. but didn't work. any idea??

object-group service Blocked-UDP-Ports udp

description All ports blocked for Bit Torrent UDP

port-object range 10001 65535

port-object range 1024 1193

port-object range 1195 9999

object-group service BitTorrent-Tracker tcp

description TCP Ports used by Bit Torrent for tracker communication

port-object eq 2710

port-object range 6881 6999

 

access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inactive

access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactive

 

Thank you in advance

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎03-09-2015 02:43 AM

Hi,

I think the configuration that you have pasted covers most of the common ports.

Still , I think it is difficult to block this application using the ACL alone.

Although , the ports that you have blocked might also cause some other things not to work as the range is quite wide.

If you are okay with these ranges being blocked , I would recommend you to follow the reactive approach and try to enable debug syslog on ASDM and test the torrent traffic and simultaneously filter the logs on the ASDM to see which ports are being used and then add them to the ACL.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Lost & Found
Level 2
Level 2
In response to Vibhor Amrodia

‎03-09-2015 09:11 AM

You're right. So complicated regards with those ports some of my application won't work when I enable on inside interface I'm experiencing network issues. Hahaha.. 

But for now I usegp gp on server side to disable it but it's too easy to bypass.

How about disabling p2p??

And how about teamviewer is it possible with acl port 5...?

 

Thank you

Arvin r.

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Lost & Found

‎03-10-2015 07:37 AM

Hi,

These application uses the random Dynamic ports and that is the reason they are hard to block using a static ACL policy.

I think if you try to block a wide range of ports that might affect the other traffic so i would recommend against it.

I would suggest to go for a smarter solution like a external module which is specifically made for this requirement.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card