Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7660
Views
10
Helpful
5
Replies

Blocking Itunes

itccv0822
Level 1
Level 1

‎09-18-2008 07:55 AM - edited ‎03-03-2019 11:36 PM

Hi,

I would like to block people in my office from downloading music off of Itunes. I followed the instructions in Document ID 98684. I tested, and Itunes is still able to download from the store. I have heard that it uses port 80. Is there any way known to block this without disrupting internet activity? Any help would be much appreciated.

Labels:
0 Helpful
5 Replies 5

Danilo Dy
VIP Alumni
VIP Alumni

‎09-18-2008 08:36 AM

iTunes uses port 80, blocking port 80 will block user access to all websites.

If you use a router to block access to iTunes, block outgoing connection to the following;

pri.kts-af.net

tunes.apple.com.akadns.net

17.254.2.170

17.254.4.130

If you use a firewall, block the following ports;

TCP 3689

UDP 5353

Alternatively, if budget permits, you should get a device that can block it using application intelligence. i.e. Packetshaper, Checkpoint SmartDefense. If you have Packetshaper, don't block it, put a very low bandwidth :) so the user can still connect but waiting in vain :)

itccv0822
Level 1
Level 1
In response to Danilo Dy

‎09-18-2008 09:44 AM

Hey, I feel so helpless. I blocked the domains listed using DNS from my domain controller. That blocked streaming from Itunes. I have an ASA 5505 version 7.2. Can someone tell me what CLI commands I would give it to block the 2 IP addresses listed and the ports? Sorry but I get nervous messing with this thing without some expert oversite. I was about to do it but got cold feet when it seemed to delete the implicit rule to "permit all traffic to less secure networks". My outside interface is called "outside". My inside is "inside". Tell me if you need anything else. Again, help is very appreciated.

0 Helpful

chrislisser
Level 1
Level 1
In response to itccv0822

‎09-19-2008 02:14 PM

I just made these changes to block this for a client. I found a third IP address associated with Itunes that you may also want to block. Here's the access list I wrote for their ASA:

access-list inside_access_out extended deny tcp any any eq 3689

access-list inside_access_out extended deny udp any any eq 5353

access-list inside_access_out extended deny ip any host 17.254.2.170

access-list inside_access_out extended deny ip any host 17.254.4.130

access-list inside_access_out extended deny ip any host 17.112.152.61

access-list inside_access_out extended permit ip any any

access-group inside_access_out in interface inside

lcd_shouldit
Level 1
Level 1
In response to chrislisser

‎11-20-2011 04:27 AM

excellent

0 Helpful

islow1303
Level 1
Level 1
In response to chrislisser

‎10-06-2016 06:59 AM

Does this method still work in 2016? :-D

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card