02-06-2009 07:49 AM - edited 03-09-2019 10:01 PM
Hi all,
Can any one please tell me if it is possible to completely block the use of Skype on an internal network using an 877 ADSL router. I am running advanced ip services 124-15.T8.
I have read, followed and implemented the cisco document "Cisco IOS Flexible Packet Matching(FPM) Getting started with Cisco IOS FLexible Packet Matching", which gives an example of blocking Skype at the end. However, even though I can see certain Skype traffic being blocked (01116: Feb 6 2009 15:42:17.308 GMT: %SEC-6-IPACCESSLOGP: list skype denied tcp
192.168.1.11(1185) (Vlan1 ) -> 193.88.8.59(12350), 7 packets), skype clients are still able to log in successfully.
Any help would be gratefuly accepted as this is driving me up the wall and around the bend.
Thanks
Ryan
Solved! Go to Solution.
03-09-2009 08:01 AM
On the zone-based firewall, you apply policies to zone-pairs.
First i guess you have two zones:
zone security internet
zone security vlan1
Then apply zones to interfaces:
int fastEthernet 4
zone member security internet
int vlan1
zone member security vlan1
and finally define zone-pairs and apply them a policies:
zone-pair security vlan1-internet source vlan1 destination internet
service-policy type inspect vlan1-int-policy
zone-pair security internet-vlan1 source internet destination vlan1
service-policy type inspect int-vlan1-policy
Regards.
02-11-2009 02:31 PM
Ryan,
Im not to familiar with FPM technology and cannot say whether is effective to block skype I would have to look into this techonoly but do know however you can block it using Network-Based Application Recognition, you may want to have a look at NBAR , I've checked your 124-15.T8 code which does have support for this feature.
NBAR example config to block skype
http://ciscotips.wordpress.com/2006/06/07/how-to-block-skype/
About NBAR
General config NBAR
http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080094ac5.shtml
Regards
02-12-2009 06:23 AM
Hi Jorgemsce,
Thanks for your reply. I am familiar with NBAR and have used it successfully to block bittorrents and other p2p apps. I have tried it on SKYPE, however it does not work any longer. Further down on the page you listed it does mention that NBAR worked with skype 1.0, but with the latest methods NBAR fails to spot/stop the traffic.
I have checked to see if there is an upto date PDLM for Skype but have not found one. So I am still stuck with not being able to stop the pesky little thing.
I will continue looking. Thanks again for your reply.
Ryan
02-24-2009 06:46 AM
hi I've spend about 2 weeks hardworking to block skype on my Cisco 871 router. Finally I found the solution :).
You don't need FPM or NBAR.
The solution is :
Block all ports except those you really need. Skype goes over http and https.
Deny skype over http:
class-map type inspect match-all L4-http-class
match protocol http
class-map type inspect http match-any L7-http-class
match req-resp protocol-violation
match request port-misuse any
policy-map type inspect http L7-http-policy
class type inspect http L7-http-class
reset
class class-default
policy-map type inspect vlan1-int-policy
class type inspect L4-http-class
inspect
service-policy http L7-http-policy
class class-default
drop log
!
Skype then connects over HTTPS. It sends server hello packets with lenght 112 bytes. Just do this:
route-map block-skype-https permit 10
match lenght 112 112
set interface null 0
!
int vlan 1
ip policy route-map block-skype-https
!
I hope i helped :)
03-09-2009 07:06 AM
Hiya,
thanks for this. Looking at the config you sent; how are you attaching the "policy-map type inspect vlan1-int-policy" to the vlan1 interface?
Thanks again for your help so far.
03-09-2009 07:21 AM
Hi.
You don't attaching it to interface. You attach the policy to zone-pair!
I'm sorry i forgot to define, that this config works with Zone-Based Policy Firewall!
03-09-2009 07:32 AM
Ok thanks. I am running Zone-based policy firewall. At the moment I have two policies set up. 1 to block incoming traffic on the external interface and a 2nd to block everything but http/https on the internal interface. I take it you apply the configuration to the policy applied to the internal interface?
Thanks
03-09-2009 08:01 AM
On the zone-based firewall, you apply policies to zone-pairs.
First i guess you have two zones:
zone security internet
zone security vlan1
Then apply zones to interfaces:
int fastEthernet 4
zone member security internet
int vlan1
zone member security vlan1
and finally define zone-pairs and apply them a policies:
zone-pair security vlan1-internet source vlan1 destination internet
service-policy type inspect vlan1-int-policy
zone-pair security internet-vlan1 source internet destination vlan1
service-policy type inspect int-vlan1-policy
Regards.
03-10-2009 02:31 AM
Thanks for all your Help.
After a little bit of tweaking to fit your suggested config in with the current one I had I have finaly stopped that pesky skype.
I here by call you by Guru :)
Thanks again for your help.
Ryan
03-11-2009 08:03 AM
Hi,
I think I spoke to soon regarding managing to stop sykpe. I have got it to block skype, but I am also stopping access to general https sites. I don't think the route map statement is working as it should. If I put an allow https statement in the class maps it obviously allows skype to connect again. Could you have a look at the pertial config below to see where I have gone wrong. Thanks.
class-map type inspect match-all L4-http-class
match protocol http
match access-group name INSIDE_NETWORK
!
class-map type inspect match-all VPN_PASSTHROUGH_OUTGOING_POLICY
match class-map VPN_PASSTHROUGH
match access-group name VPN_Outgoing
!
class-map type inspect match-any EMAIL
match protocol biff
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol lotusnote
match protocol lotusmtap
match protocol pop3
match protocol pop3s
match protocol qmtp
!
class-map type inspect match-all OUTGOING_EMAIL_POLICY
match class-map EMAIL
match access-group name Email
!
!
class-map type inspect http match-any l7-http-class
match req-resp protocol-violation
match request port-misuse any
!
!
policy-map type inspect http l7-http-policy
class type inspect http l7-http-class
reset
!
policy-map type inspect IN_OUT_FW_POLICY
class type inspect VPN_PASSTHROUGH_OUTGOING_POLICY
inspect
class type inspect OUTGOING_EMAIL_POLICY
inspect
class type inspect L4-http-class
inspect
service-policy http l7-http-policy
class class-default
drop log
!
zone security INSIDE
description **** Inside F/W Interface ****
zone security OUTSIDE
description **** Outside F/W Interface ****
!
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
description **** F/W Zone Policy - Permitted outgoing traffic ****
service-policy type inspect IN_OUT_FW_POLICY
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security INSIDE
ip policy route-map block-skype-https
!
!
ip access-list extended Email
remark **** Defines outgoing mail ****
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended INSIDE_NETWORK
remark **** Defines inside network ****
permit ip 192.168.1.0 0.0.0.255 any
!
!
!
ip access-list extended VPN_Outgoing
remark **** Defines outgoing VPN traffic ****
permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map block-skype-https permit 10
match length 112 112
set interface Null0
!
I did get the following error when I did the route map.
%Warning:Use P2P interface for routemap set interface clause
Thanks for all you help so far.
Ryan
03-11-2009 08:54 AM
Hi, what version of IOS do you use??
I saw that for the new version 12.4(24)T gives me the same error for the route map.
Then you can use the following (it does the same work as the route map):
!
class-map c1
match packet length min 112 max 112
!
policy-map p1
class c1
drop
!
interface vlan1
service-policy input p1
!
You can put an allow https statement in the class maps without embarrassment! Skype will not goes over https since you have policy map p1 configured on your vlan1 interface.
And I have tryed this for skype 3.8!
I'm not sure if it will work for other versions of skype.
Good luck!
p.s pls tell me what is the result after that!
03-11-2009 09:24 AM
Hi,
No luck unfortunately. Despite placing the new policy on the vlan interface to drop the packet on a length of 112. As soon as I add the allow https rule into the firewall rules for outgoing traffic, skype goes and connects.
IOS is Advanced Ip Services 12.4(22)T
Skype version is V4.0.0.206
I think I am going to go back to the customer and say I can't stop the newest versions.
Thank you for all your help and advice.
Kind Regards
Ryan
03-12-2009 12:53 AM
Hi,
wait 2-3 days, I,m going to see how skype v4 works and if I can block it, i'll write you back.
03-12-2009 01:52 AM
Hi,
Thanks for all your help you have given me so far.
03-12-2009 06:22 AM
Ok, I've tryed to blok skype version 4 and still without result :(
I can tell you a way that will work if your users use well known https sites.
You can do class-map like this:
!
class-map type inspect match-all https-class
match protocol https
match access-group 111
!
access-list 111 permit ip 192.168.0.0 0.0.0.255 host www.paypal.com
access-list 111 permit ip 192.168.0.0 0.0.0.255 host www.mail.yahoo.com
access-list 111 permit ip 192.168.0.0 0.0.0.255 host www.signin.ebay.com
and so on.
That way you will allow access only to certain https sites, and skype will not be able to connect. Probably you will have to write long access-list, but this is the only methot to block skype for now.
If i find better solution, i will let you know.
bye
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide