01-31-2005 01:10 PM - edited 03-09-2019 10:11 AM
Since some of these are web implementations it seems difficult to block. Will this be easier in the PIX 7.0 code?
01-31-2005 03:08 PM
I have felt your pain,
The troublesome issue about blocking the IM's is that a couple like Yahoo, will attempt to use port 80, if it's own default port is blocked. Skype uses 443 as well.
I have provided some information that can help you resolve these issue's. This is an extensive list, but covers most all known IM's..
HTH....
BLOCKING IM's
--------------------------------------------------------------------------------
Yahoo Messenger uses these port:
Voice Chat: 5000-5001
Messages: 5050
Webcams: 5100
Games: 11999
MS Netshow: 1755
MSN Messenger: 1863
AOL IM: 5190
Kazaa: 1214
[0003]
Type=TCP
Translation=NORMAL
Port=3000
AIM Talk
OUT TCP 4099
IN TCP 5190
CuSeeMe
OUT UDP 24032
IN UDP 1414 [use H.323 protocol if available]
IN UDP 1424 [use H.323 protocol if available]
IN TCP 1503
IN TCP 1720 [use H.323 protocol if available]
IN UDP 1812 1813
IN TCP 7640
IN TCP 7642
IN UDP 7648
IN TCP 7648
IN TCP 7649 7649
IN UDP 24032
IN UDP 56800
OUT UDP 1414 [use H.323 protocol if available]
OUT UDP 1424 [use H.323 protocol if available]
OUT TCP 1503
OUT TCP 1720 [use H.323 protocol if available]
OUT UDP 1812 1813
OUT TCP 7640
OUT TCP 7642
OUT UDP 7648
OUT TCP 7648
ICQ
OUT UDP 4000
IN TCP 20000 20019 for one user
OR
IN TCP 20000 20039 for two users
OR
IN TCP 20000 20059 for three users, etc.
ICUII Client
OUT TCP 2019
IN TCP 2000 2038
IN TCP 2050 2051
IN TCP 2069
IN TCP 2085
IN TCP 3010 3030
OUT TCP 2000 2038
OUT TCP 2050 2051
OUT TCP 2069
OUT TCP 2085
OUT TCP 3010 3030
ICUII Client (Version 4.xx)
IN TCP 1024 - 5000
IN TCP 2000 - 2038
IN TCP 2050 - 2051
IN TCP 2069
IN TCP 2085
IN TCP 3010 - 3030
IN TCP 6700 - 6702
IN TCP 6880
IN UDP 12000 - 16090
mIRC DCC / IRC DCC
IN TCP 1024 - 5000
mIRC Chat
(The IRC port is usually 6667)
IN TCP 6660 - 6669
mIRC IDENT
IN UDP 113
MSN Messenger
NOTE:
Ports 6891-6900 enable File send,
Port 6901 is for voice communications
Allows Voice, PC to Phone, Messages, and Full File transfer capabilities.
IN TCP 6891 - 6900
IN TCP 1863
IN UDP 1863
IN UDP 5190
IN UDP 6901
IN TCP 6901
Net2Phone
OUT UDP 6801
IN UDP 6801
PhoneFree
IN UDP 1034 - 1035
IN UDP 9900 - 9901
IN TCP 1034 - 1035
IN TCP 2644
IN TCP 8000
This Mapping is needed to hear the audio from the incoming party, outgoing audio would work without it.
** According to phonefree the ports you need open are:
8000 TCP For Server access
1034 UDP Voice in/out
1035 TCP Voice in/out
2644 TCP Personal Communication Center
I found that port range 9900-9901 UDP is also needed but not mentioned at phonefree support.
Also shut off any other firewall programs you may have running.
To make PC-TO-PHONE calls, it seems only UDP port 9900 must be opened (the fewer ports open, the better!).
Polycom ViaVideo H.323
IN TCP 3230 - 3235
IN UDP 3230 - 3235
Yahoo Messenger Chat
IN TCP 5000 - 5001
Yahoo Messenger Messages
IN TCP 5050
Yahoo Messenger Webcams
IN TCP 5100
Yahoo Messenger Phone
IN UDP 5055
01-31-2005 04:04 PM
thank you aftermath! I'm hoping that in the new release of the pix 7.0 maybe there will be some fixup's that'll take care of this..
02-01-2005 04:12 PM
you may manipulate the dns record by pointing those domain/url to a fake ip address.
however, it only works if your company hasn't got many IT staff since it can be overcome by adding a local host entry.
02-01-2005 05:47 PM
Hi,
It's not easy to block msn messenger unless the port 80 is also blocked.
but somebody suggest me to block messenger.msn.com....but nothing happen...
How to effectively block this messenger without blocking port 80?
Thanks
Tonny
02-02-2005 01:16 AM
I would not bet my money on this.
Cisco has another product (NBAR) which is designed to block such protocols.
02-02-2005 05:48 AM
Hi Again,
Blocking the repsective IM ports will keep the IM's from using those ports. However, IM's like Yahoo, and AOL, will also SEARCH for other ports to use, if their respective default ports have been blocked.
NBAR as previoulsy suggested will take care of those issues. I have supplied the link for you as well.
HTH
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cd0.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide