access-list MSN_OUT_BLOCK line 1 extended deny tcp any 22.214.171.124 255.255.0.0 eq https
access-list MSN_OUT_BLOCK line 2 extended deny tcp any any eq 1863
access-list MSN_OUT_BLOCK line 3 extended deny udp any any eq 1863
access-list MSN_OUT_BLOCK line 4 extended deny tcp any 126.96.36.199 255.255.255.0
access-list MSN_OUT_BLOCK line 5 extended permit ip any any[/code:1]
but i want certain people within the network to be able to access MSN Messenger, is there anyway i can do this without setting up another reserved scope on the DHCP server?
i don't have an ASA, but the way i managed this on the PIX is, i always use the permit some and deny all policy. then for the people that require the access i granted them, tcp 1863 and udp 7001. the problem with IM software like MSN and googletalk is that they use the tcp port 80 instead if their primary ports are blocked. to counter this i used Microsoft ISA to filter the http traffic. Now everything is under control and only the allowed people can access IM.
Well, creating scopes seems to be the only logical solution to this problem, otherwise the PIX would either allow the subnet or would deny it. For specific ports and services you have to assign the clients with specific IP addresses so that you are in better position to control whats going on.