Thanks for your reply.

i have already read this doc. unfortunatley it doesnt help too much because i need NBAR.

the attachment is a screen shot of my firewall

Not sure if this is practical for your situation, but you could explicitly define what ports are allowed, then deny everything else. This is what our company did on some 800 series routers.

Example: You only want to allow outgoing traffic to ports 80 (HTTP), 443 (HTTPS), 25 (SMTP), then:

! acl 130: outbound on Dialer0 (EGRESS FILTERING):

access-list 130 permit tcp any any eq 80

access-list 130 permit tcp any any eq 443

access-list 130 permit tcp any any eq 25

access-list 130 deny tcp any any log

! the log above is optional, but helps when troubleshooting

!

interface Dialer0

ip access-group 130 out

You will probably want to allow other things, such as ICMP. Here is something to serve as a starting point....

!! acl 130: outbound on Dialer0 (EGRESS FILTERING):

access-list 130

!!!

!!! Deny traffic going to RFC1918 networks

access-list 130 deny ip any 10.0.0.0 0.255.255.255 log-input

access-list 130 deny ip any 172.16.0.0 0.15.255.255 log-input

access-list 130 deny ip any 192.168.0.0 0.0.255.255 log-input

!!!

!!! Allow only specific ICMP:

!!! allow to our network and the IP address of the external

!!! interfaces on this router.

!!!

!!! http://www.isi.edu/in-notes/iana/assignments/icmp-parameters

!!! http://www.worldgate.com/~marcs/mtu/

!!!

!!! (3 0) net-unreachable

access-list 130 permit icmp any any 3 0

!!! (3 1) host-unreachable

access-list 130 permit icmp any any 3 1

!!! (3 2) protocol-unreachable

access-list 130 permit icmp any any 3 2

!!! (3 3) port-unreachable

access-list 130 permit icmp any any 3 3

!!! (3 4) packet-too-big

access-list 130 permit icmp any any 3 4

!!! (3 13) administratively-prohibited

access-list 130 permit icmp any any 3 13

!!! (4 ) source-quench

access-list 130 permit icmp any any 4

!!! (11 0) ttl-exceeded

access-list 130 permit icmp any any 11 0

!!! (8 0) echo

access-list 130 permit icmp any any 8 0

!!! (0 0) echo-reply

access-list 130 permit icmp any any echo-reply

!!!

!!! Allow REALAUDIO

access-list 130 permit tcp any any eq 7070

access-list 130 permit tcp any any eq 554

!!!

!!!

!!! Allow CUSEEME

access-list 130 permit tcp any any eq 7648

access-list 130 permit udp any any eq 7648

access-list 130 permit tcp any any eq 24032

access-list 130 permit udp any any eq 24032

!!!

!!!

!!! Allow WWW (80) / HTTPS(443)

access-list 130 permit tcp any any eq www

access-list 130 permit tcp any any eq 443

!!!

!!!

!!! Allow SMTP(25)

access-list 130 permit tcp any any eq 25

!!!

!!!

!!! Allow IPSec traffic. IPSec uses

!!! IP protocols 50 and 51 and UDP port 500.

access-list 130 permit 50 any any

access-list 130 permit 51 any any

access-list 130 permit udp any any eq 500

!!!

!!!

!!! Allow PPTP traffic.

access-list 130 permit tcp any any eq 1723

access-list 130 permit gre any any

!!!

!!!

!!! Allow FTP traffic

access-list 130 permit tcp any any eq ftp-data

access-list 130 permit tcp any any eq ftp

!!!

!!!

!!! Deny and log everything that does not match above rules.

!!! We include the entire port ranges for tcp and udp explicitly

!!! to ensure values for source and destination ports are logged.

access-list 130 deny tcp any range 0 65535 any range 0 65535 log-input

access-list 130 deny udp any range 0 65535 any range 0 65535 log-input

access-list 130 deny ip any any log-input

Forgot, if you were afraid that the Kazaa or other programs might use port 80, you may be able to use N2H2 or Websense to filter what URLs are allowed.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a008014654a.html

Also, release 7.0 of the PIX supports blocking of P2P apps natively, but you may not have deep pockets.