After several talks with Cisco in regards to go about blocking these custom ports. The most effective solution is this:
regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*" object-group service BitTorrent-Tracker tcp description TCP Ports used by Bit Torrent for tracker communication port-object eq 2710 port-object eq 6969
object-group service Blocked-UDP-Ports udp port-object range 10001 65535 port-object range 1024 9999
access-list inside-out extended deny tcp any any object-group BitTorrent-Tracker log warnings access-list inside-out extended deny udp any any object-group Blocked-UDP-Ports log warnings
access-list inside-out extended permit tcp any any access-list inside-out extended permit udp any any access-list inside-out extended permit icmp any any echo
access-group inside-out in interface inside
class-map http_traffic match port tcp eq www
class-map type inspect http match-all bit-torrent-tracker match request args regex bit-torrent-tracker match request method get
policy-map type inspect http Drop-P2P protocol-violation action drop-connection log class bit-torrent-tracker drop-connection log
policy-map global_policy class http_traffic inspect http Drop-P2P
service-policy global_policy global
policy-map type inspect http P2P_HTTP parameters match request uri regex _default_gator drop-connection log match request uri regex _default_x-kazaa-network drop-connection log policy-map IM_P2P class P2P inspect http P2P_HTTP
This prevents bittorrent from connecting and also logs the issue.
... View more
Our setup is actually a MPLS setup. We have the ASA's MAC address for the management port listed in the ASA saved on the DHCP server as a reserved IP. See after entering the commands listed above the connection is still refused. The ASDM on the subnet that I'd like to be able to see the ASA's on the other subnets on the MPLS connection. I went out and tried the public IP address listed by a tracker and still no luck, later removed it when it failed.
... View more