11-25-2004 03:17 AM - edited 03-09-2019 09:33 AM
I use a CISCO 831 ROUTER to connect the office lan to internet.
I have to block the Messenger application
How can I parameter the router to block the port(s) used by Messenger?
Moreover, is there specific way to block all the port and open specificaly the ones that i need to use really ( something like the one used by ftp the one used by http and so on )?
Thanks for any help
PP
11-25-2004 04:20 AM
The messenger application is a little tricky, the allpication uses all sorts of port numbers one main one is 1863 but it can use port 80 aswell. The only real way to stop messanger is to stop web access totally!
To answer you second question:
access-list 112 permit tcp any any eq telnet
access-list 112 permit tcp any any eq ftp
access-list 112 permit tcp any any eq 80
access-list 112 deny ip any any
There is an implict deny at the end of every access-list (as long as there is at least one entry in it) I tend to add it in there any way as it can be used to log.
11-26-2004 03:03 AM
Thanks...
I found in somme fomums that I have to block some udp and tcp ports (the 1863) and also to block the access to msgr.hotmail.com
To block the port I tried this part of code in my CISCO:
access-list 101 deny udp any any eq 1863
access-list 101 deny tcp any any eq 1863
but i I activate this access-group in the CISCO
in the interface Ethernet0 (E0 is on my LAN side and E1 is on the WAN side )
using
ip access-group 101 in
at the "exit" command the router is definitively collapsed and i must restart it
It restarts correctly using the "startup-config' of the nvram
What is wrong ?
And an other question,
Can I block the access to msgr.hotmail.com in the CISCO router?
Thanks for your time and your help
PP
11-26-2004 04:04 AM
The is an implicit deny at the end of the access list
so you need to either permit specific data or add a
access-list 101 permit ip any any as the last line
11-26-2004 04:58 AM
Yes .....
I find it just after my mail
It seems to work
Thank you very much for your help
PP
11-26-2004 05:45 AM
Life is not that easy.
MSN Messenger does also work with just port 80 (http) so forget about tcp and udp port 1863.
Might be work with NBAR on Routers and PIX 0S 7.0 in the beginning of 2005.
sincerely
Patrick
11-26-2004 07:17 AM
We were having an issue with this and so I found a different way around this.
1. Write an acceptable use policy detailing that use of instant messenger is prohibited
2. Email all users stating this and that you are deploying a system that will archive all instant messenges and that they will be audited by HR for compliance
3. Put in a network sniffer application like "msn sniffer". and carry out 2
Its amazing at the reduction in messenger usage when people realise that their conversations are being monitored and reviewed.....
11-26-2004 09:12 AM
You are absolutly right, this is the way how it should be done. Unfortunently not all companys have a usfull written security policy.
sincerely
Patrick
11-26-2004 06:52 PM
Yeah...I agree man, Life is not that easy, it's hard to block messenger even if you block that port, just block port 80 but..that's right, you can't surf the internet ;) , I hope there will be new features solving this problem in new pix software release soon...
Thanks
Tonny
11-30-2004 12:51 AM
I'm an intern at a school, where msn messenger is prohibited. But sometimes we find children who are on msn messenger. So we want to block the port that msn uses. I'm a beginner at networking so i don't know if this will work, see my idea below.
Can't you block port 80, but only with a certain ip adress?
11-30-2004 01:36 AM
if you locate he correct set of ip addresses yes. however, I believe that microsoft in their wisdom now use Passport to authenticate messenger.
So if you block those servers you also kill all sites which use passport for authentication.
Can anyone confirm this?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: