Zone based firewall and Bittorrent protocol

Nick Cutting · ‎05-11-2015

Good mroing chaps.

I have a security licence on a Cisco 1921. I do not have an application license.

I am using zone based firewall.

When treating a class map if I do a "normal" one - I am able to match on the P2P protocols:

Class Map match-any ALL-P2P-PROTOCOLS (id 25)
Match protocol bittorrent
Match protocol edonkey
Match protocol gnutella
Match protocol kazaa2
Match protocol fasttrack

Now, as you know, you cannot use non inspect class-maps in an inspect Policy-map:

class ALL-P2P-PROTOCOLS of type default is not allowed in policy-map PM_GUEST_TO_OUTSIDE_POLICY of type inspect

Now the problem I have, is that under and inspect map, I cannot use these protocols, they are missing!

In the cisco docs, they are there.

http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110388-ios-block-p2p.html

class-map type inspect match-any ALL-P2P-PROTOCOLS
1921(config-cmap)# match protocol ?

802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
aol America-Online Instant Messenger
appleqtc Apple QuickTime
bgp Border Gateway Protocol
biff Bliff mail notification
bootpc Bootstrap Protocol Client
bootps Bootstrap Protocol Server
cddbp CD Database Protocol
cifs CIFS
cisco-fna Cisco FNATIVE
cisco-net-mgmt cisco-net-mgmt
cisco-svcs cisco license/perf/GDP/X.25/ident svcs
cisco-sys Cisco SYSMAINT
cisco-tdp Cisco TDP
cisco-tna Cisco TNATIVE
citrix Citrix IMA/ADMIN/RTMP
citriximaclient Citrix IMA Client
clp Cisco Line Protocol
creativepartnr Creative Partnr
creativeserver Creative Server
daytime Daytime (RFC 867)
dbase dBASE Unix
dbcontrol_agent Oracle dbControl Agent po
ddns-v3 Dynamic DNS Version 3
dhcp-failover DHCP Failover
discard Discard port
dns Domain Name Server
dnsix DNSIX Securit Attribute Token Map
echo Echo port
entrust-svc-hdlr Entrust KM/Admin Service Handler
entrust-svcs Entrust sps/aaas/aams

Do I need the application licences - so that I can use the Advanced NBAR protocol packs

Bilal Nawaz · ‎05-12-2015

Enhanced NBAR should be included in the security license. I haven't tried blocking bittorrent with zbfw. But an idea comes to mind, along with ZBFW you can apply a service policy on the outgoing interface to drop this kind of traffic.

Class Map match-any ALL-P2P-PROTOCOLS
Match protocol bittorrent
Match protocol edonkey
Match protocol gnutella
Match protocol kazaa2
Match protocol fasttrack

!

policy-map PM-ALL-P2P-PROTOCOLS

class ALL-P2P-PROTOCOLS

drop

class default

permit

!

interface x/x (outgoing interface)

service-policy output PM-ALL-P2P-PROTOCOLS

Hopefully that would work. I haven't tested it myself though.

Hope this helps

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

akimawik7 · ‎08-21-2015

I had the same issue, and then came across this little tidbit of info:

In Cisco IOS Release 15.3(1)T and later releases, the peer-to-peer protocols are deprecated. You cannot configure the peer-to-peer protocols with zone-based policy firewalls.

This is listed in the restrictions of this doc: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html#GUID-6ECF1303-423F-4809-9329-8876F79D2FA7