I use a CISCO 831 ROUTER to connect the office lan to internet.
I have to block the Messenger application
How can I parameter the router to block the port(s) used by Messenger?
Moreover, is there specific way to block all the port and open specificaly the ones that i need to use really ( something like the one used by ftp the one used by http and so on )?
Thanks for any help
The messenger application is a little tricky, the allpication uses all sorts of port numbers one main one is 1863 but it can use port 80 aswell. The only real way to stop messanger is to stop web access totally!
To answer you second question:
access-list 112 permit tcp any any eq telnet
access-list 112 permit tcp any any eq ftp
access-list 112 permit tcp any any eq 80
access-list 112 deny ip any any
There is an implict deny at the end of every access-list (as long as there is at least one entry in it) I tend to add it in there any way as it can be used to log.
I found in somme fomums that I have to block some udp and tcp ports (the 1863) and also to block the access to msgr.hotmail.com
To block the port I tried this part of code in my CISCO:
access-list 101 deny udp any any eq 1863
access-list 101 deny tcp any any eq 1863
but i I activate this access-group in the CISCO
in the interface Ethernet0 (E0 is on my LAN side and E1 is on the WAN side )
ip access-group 101 in
at the "exit" command the router is definitively collapsed and i must restart it
It restarts correctly using the "startup-config' of the nvram
What is wrong ?
And an other question,
Can I block the access to msgr.hotmail.com in the CISCO router?
Thanks for your time and your help
The is an implicit deny at the end of the access list
so you need to either permit specific data or add a
access-list 101 permit ip any any as the last line
Life is not that easy.
MSN Messenger does also work with just port 80 (http) so forget about tcp and udp port 1863.
Might be work with NBAR on Routers and PIX 0S 7.0 in the beginning of 2005.
We were having an issue with this and so I found a different way around this.
1. Write an acceptable use policy detailing that use of instant messenger is prohibited
2. Email all users stating this and that you are deploying a system that will archive all instant messenges and that they will be audited by HR for compliance
3. Put in a network sniffer application like "msn sniffer". and carry out 2
Its amazing at the reduction in messenger usage when people realise that their conversations are being monitored and reviewed.....
You are absolutly right, this is the way how it should be done. Unfortunently not all companys have a usfull written security policy.
Yeah...I agree man, Life is not that easy, it's hard to block messenger even if you block that port, just block port 80 but..that's right, you can't surf the internet ;) , I hope there will be new features solving this problem in new pix software release soon...
I'm an intern at a school, where msn messenger is prohibited. But sometimes we find children who are on msn messenger. So we want to block the port that msn uses. I'm a beginner at networking so i don't know if this will work, see my idea below.
Can't you block port 80, but only with a certain ip adress?
if you locate he correct set of ip addresses yes. however, I believe that microsoft in their wisdom now use Passport to authenticate messenger.
So if you block those servers you also kill all sites which use passport for authentication.
Can anyone confirm this?