BLOCKING A PORT

PPVISIONNUMERIC · ‎11-25-2004

I use a CISCO 831 ROUTER to connect the office lan to internet.

I have to block the Messenger application

How can I parameter the router to block the port(s) used by Messenger?

Moreover, is there specific way to block all the port and open specificaly the ones that i need to use really ( something like the one used by ftp the one used by http and so on )?

Thanks for any help

PP

matthew.long · ‎11-25-2004

The messenger application is a little tricky, the allpication uses all sorts of port numbers one main one is 1863 but it can use port 80 aswell. The only real way to stop messanger is to stop web access totally!

To answer you second question:

access-list 112 permit tcp any any eq telnet

access-list 112 permit tcp any any eq ftp

access-list 112 permit tcp any any eq 80

access-list 112 deny ip any any

There is an implict deny at the end of every access-list (as long as there is at least one entry in it) I tend to add it in there any way as it can be used to log.

PPVISIONNUMERIC · ‎11-26-2004

Thanks...

I found in somme fomums that I have to block some udp and tcp ports (the 1863) and also to block the access to msgr.hotmail.com

To block the port I tried this part of code in my CISCO:

access-list 101 deny udp any any eq 1863

access-list 101 deny tcp any any eq 1863

but i I activate this access-group in the CISCO

in the interface Ethernet0 (E0 is on my LAN side and E1 is on the WAN side )

using

ip access-group 101 in

at the "exit" command the router is definitively collapsed and i must restart it

It restarts correctly using the "startup-config' of the nvram

What is wrong ?

And an other question,

Can I block the access to msgr.hotmail.com in the CISCO router?

Thanks for your time and your help

PP

matthew.long · ‎11-26-2004

The is an implicit deny at the end of the access list

so you need to either permit specific data or add a

access-list 101 permit ip any any as the last line

PPVISIONNUMERIC · ‎11-26-2004

Yes .....

I find it just after my mail

It seems to work

Thank you very much for your help

PP

Patrick Iseli · ‎11-26-2004

Life is not that easy.

MSN Messenger does also work with just port 80 (http) so forget about tcp and udp port 1863.

Might be work with NBAR on Routers and PIX 0S 7.0 in the beginning of 2005.

sincerely

Patrick

matthew.long · ‎11-26-2004

We were having an issue with this and so I found a different way around this.

1. Write an acceptable use policy detailing that use of instant messenger is prohibited

2. Email all users stating this and that you are deploying a system that will archive all instant messenges and that they will be audited by HR for compliance

3. Put in a network sniffer application like "msn sniffer". and carry out 2

Its amazing at the reduction in messenger usage when people realise that their conversations are being monitored and reviewed.....

Patrick Iseli · ‎11-26-2004

You are absolutly right, this is the way how it should be done. Unfortunently not all companys have a usfull written security policy.

sincerely

Patrick

tonny_ecmyy · ‎11-26-2004

Yeah...I agree man, Life is not that easy, it's hard to block messenger even if you block that port, just block port 80 but..that's right, you can't surf the internet ;) , I hope there will be new features solving this problem in new pix software release soon...

Thanks

Tonny

johnny_grave · ‎11-30-2004

I'm an intern at a school, where msn messenger is prohibited. But sometimes we find children who are on msn messenger. So we want to block the port that msn uses. I'm a beginner at networking so i don't know if this will work, see my idea below.

Can't you block port 80, but only with a certain ip adress?

matthew.long · ‎11-30-2004

if you locate he correct set of ip addresses yes. however, I believe that microsoft in their wisdom now use Passport to authenticate messenger.

So if you block those servers you also kill all sites which use passport for authentication.

Can anyone confirm this?