Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
10
Helpful
5
Replies

Can you block Hotmail but allow Messenger using a 2600 ACL

keithglanville
Level 1
Level 1

‎12-06-2006 02:08 AM - edited ‎02-20-2020 09:38 PM

Hi, We use a Cisco 2600 router on our leased line. We want to block staff access to hotmail (in fact all external web mail sites) but still allow MSN Messenger (which we use to communicate with several home workers). I have played with blocking several IP addresses on an outbound ACL on the serial 0/0 interface but with limited success. Any hints and tips with regard to technique and IP to block etc? Thanks

Labels:
0 Helpful
5 Replies 5

m.sir
Level 7
Level 7

‎12-06-2006 02:39 AM

I block IPs 64.4.33.7 and 64.4.32.7 should be enough

M.

andrew.burns
Level 7
Level 7

‎12-06-2006 04:21 AM

Hi,

You'll struggle to do this reliably just using IP's as there's no guarantee they won't change and there's no way of reliably getting a list of even the big three (hotmail, gmail, yahoo) let alone any of the others (.mac, hushmail, lycos, muchomail, mail.com, etc etc). The only way to do this reliably is with a 3rd-party product like websense, webwasher, etc.

Note that if you use a default route to the Internet then any clued-up user just needs to point their browser at a public proxy to bypass your ACL - unless you have a list of all the public proxies..

Also - I'd ask why do you want to block web mail? (blocking IM is usually at the top of the list in a security policy along with P2P). The reasoning is that webmail usually has a built-in anti-virus whereas IM/P2P has the ability to share any damaging content.

Just some thoughts - HTH

Andrew.

mheusinger
Level 10
Level 10
In response to andrew.burns

‎12-06-2006 05:57 AM

Hi,

you could use NBAR to block URLs, if your IOS does support it. This could look like this:

ip cef

class-map match-any BlockStuff

match protocol http url "*hotmail*"

match protocol http url "*gmail*"

policy-map BlockMail

class BlockStuff

drop

interface Serial0/0

service-policy output BlockMail

Hope this helps! Please rate all posts.

Regards, Martin

keithglanville
Level 1
Level 1
In response to mheusinger

‎12-06-2006 07:29 AM

Thanks but I don't think my humble 2510 supports ip cef. You need a 7500 or a 12000 according to O'Reilly.

0 Helpful

keithglanville
Level 1
Level 1
In response to mheusinger

‎12-06-2006 07:38 AM

I take it back - it seems that it does. I just now need to understand what this config is doing so I know what I am implementing. Many thanks.

0 Helpful
Customers Also Viewed These Support Documents