TOPIC: Cisco ASA 5510 MSN Messenger Block

Hey folks,

I am having quite a bit of trouble filtering out MSN Messenger on my companies network. Maybe you could help me out?
I have tried ACLs and group policies with no luck.

Details:
[code:1]Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
[/code:1]

Here is the ACL that i tried:

[code:1]
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 any range 6891 6900
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any range 6891 6900
access-list MSN_OUT_BLOCK extended deny tcp 192.186.55.0 255.255.255.0 any eq 6901
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any eq 6901
access-list MSN_OUT_BLOCK extended permit tcp 192.168.55.0 255.255.255.0 any eq www
access-list MSN_OUT_BLOCK extended deny ip 192.168.55.0 255.255.255.0 207.46.248.0 255.255.255.0
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.27.0 255.255.255.0 eq 7001
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 207.46.27.0 255.255.255.0 eq 7001
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.0.0 255.255.0.0 eq https
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 207.46.0.0 255.255.0.0 eq www
access-list MSN_OUT_BLOCK extended deny tcp 192.168.55.0 255.255.255.0 any eq 1863
access-list MSN_OUT_BLOCK extended deny udp 192.168.55.0 255.255.255.0 any eq 1863
access-list MSN_OUT_BLOCK extended permit ip any any

---
access-group MSN_OUT_BLOCK out interface outside8
[/code:1]

Here is the policy which i tried

[code:1]
class-map type regex match-any msn_exempt_list
match regex msnuser1 "booobs\@gmail.com"
match regex msnuser2 "user\@hotmail.com"

class-map type inspect im match-all MSN_BLOCK_CLASS
description "blabla"
match protocol msn-im
match login-name regex class msn_exempt_list

policy-map type inspect im MSN_BLOCK_POLICY
description "Policy blocking MSN IM"

class MSN_BLOCK_CLASS
drop-connection

service-policy MSN_BLOCK_POLICY interface outside8

---

ERROR: % policy-map MSN_BLOCK_POLICY of type (inspect im) cannot be applied to a 'service-policy' command
[/code:1]

any help which you could provide me with would be great.

Thanks,

David Prince

Ok i got it working with the following ACL set:

[code:1]
access-list MSN_OUT_BLOCK line 1 extended deny tcp any 207.46.0.0 255.255.0.0 eq https
access-list MSN_OUT_BLOCK line 2 extended deny tcp any any eq 1863
access-list MSN_OUT_BLOCK line 3 extended deny udp any any eq 1863
access-list MSN_OUT_BLOCK line 4 extended deny tcp any 65.54.239.0 255.255.255.0
access-list MSN_OUT_BLOCK line 5 extended permit ip any any[/code:1]

but i want certain people within the network to be able to access MSN Messenger, is there anyway i can do this without setting up another reserved scope on the DHCP server?

Thanks,

David Prince

hi,

i don't have an ASA, but the way i managed this on the PIX is, i always use the permit some and deny all policy. then for the people that require the access i granted them, tcp 1863 and udp 7001. the problem with IM software like MSN and googletalk is that they use the tcp port 80 instead if their primary ports are blocked. to counter this i used Microsoft ISA to filter the http traffic. Now everything is under control and only the allowed people can access IM.

hope this helped.

yes, this is what i want to do, but because all the employees are assigned IP's via DHCP its hard to permit certain users

is there anyway of permitting certain users without making a reserved scope and assigning static IP's to the people who need msn

Well, creating scopes seems to be the only logical solution to this problem, otherwise the PIX would either allow the subnet or would deny it. For specific ports and services you have to assign the clients with specific IP addresses so that you are in better position to control whats going on.

Regards

Exactly- you'd have to create static reservations in your DHCP or put static IPs for those machine manually and then allow those on the firewall, while denying eveyone else....