Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2666
Views
5
Helpful
17
Replies

Blocking Skype on 877

Go to solution
williamsryan
Level 1
Level 1

‎02-06-2009 07:49 AM - edited ‎03-09-2019 10:01 PM

Hi all,

Can any one please tell me if it is possible to completely block the use of Skype on an internal network using an 877 ADSL router. I am running advanced ip services 124-15.T8.

I have read, followed and implemented the cisco document "Cisco IOS Flexible Packet Matching(FPM) Getting started with Cisco IOS FLexible Packet Matching", which gives an example of blocking Skype at the end. However, even though I can see certain Skype traffic being blocked (01116: Feb 6 2009 15:42:17.308 GMT: %SEC-6-IPACCESSLOGP: list skype denied tcp

192.168.1.11(1185) (Vlan1 ) -> 193.88.8.59(12350), 7 packets), skype clients are still able to log in successfully.

Any help would be gratefuly accepted as this is driving me up the wall and around the bend.

Thanks

Ryan

Labels:
0 Helpful
17 Replies 17

Go to solution
zenon_electronics
Level 1
Level 1
In response to williamsryan

‎03-12-2009 08:09 AM

hi, I even find another way to block skype version 4!!!

config:

!

load protocol system:/fpm/phdf/ip.phdf

load protocol system:/fpm/phdf/tcp.phdf

!

class-map type stack match-all ip_tcp

match field IP protocol eq 6 next TCP

class-map type access-control match-all skype

match start TCP payload-start offset 0 size 4 eq 0x17030100

!

policy-map type access-control child

class skype

log

drop

policy-map type access-control parent

class ip_tcp

service-policy child

!

int vlan1

service-policy type access-control input parent

int fastEthernet 4

service-policy type access-control input parent

!

I've tryed it and works fine.

With this config you even don't need the policy for protocol-violation.

Good luck!

0 Helpful

Go to solution
williamsryan
Level 1
Level 1
In response to zenon_electronics

‎03-18-2009 05:20 AM

Hi again,

Apologies for the delay, been rushed off my feet on other projects.

I have tried implementing the FPM solution previously but it failed, but I thought I would give it another go. The first hitch I came across was with the line

"match field IP protocol eq 6 next TCP"

my ios wouldn't except the "IP", only offering a "layer" option after the match field section.

Any ideas?

Thanks

Ryan

0 Helpful

Go to solution
williamsryan
Level 1
Level 1
In response to williamsryan

‎03-18-2009 07:31 AM

Ignore the last entry that was me being silly and forgeting to load the phdf files. I have tried it though and I have had the same results as previously using the FPM solution e.g. I am still getting through with skype.

I have upgraded my IOS to c870-advipservicesk9-mz.124-24.T.bin

0 Helpful
Customers Also Viewed These Support Documents