Introduction
This document describes how to configure the Cisco Security Appliances PIX/ASA using Modular Policy Framework (MPF) in order to block the Peer-to-Peer (P2P) and Instant Messaging (IM), such as MSN Messenger and Yahoo Messenger, traffic from the inside network to the Internet. Also, this document provides information on how to configure the PIX/ASA in order to allow the two hosts to use IM applications while the rest of the hosts remain blocked.
Prerequisites
Requirements
This document assumes that Cisco Security Appliance is configured and works properly.
Components Used
The information in this document is based on the Cisco 5500 Series Adaptive Security Appliance (ASA) that runs software version 7.0 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with the Cisco 500 Series PIX firewall that runs software version 7.0 and later.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Modular Policy Framework Overview
MPF provides a consistent and flexible way to configure security appliance features. For example, you can use MPF to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications.
MPF supports these features:
-
TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
-
CSC
-
Application inspection
-
IPS
-
QoS input policing
-
QoS output policing
-
QoS priority queue
The configuration of the MPF consists of four tasks:
-
Identify the Layer 3 and 4 traffic to which you want to apply actions. Refer to Identifying Traffic Using a Layer 3/4 Class Map for more information.
-
(Application inspection only) Define special actions for application inspection traffic. Refer to Configuring Special Actions for Application Inspections for more information.
-
Apply actions to the Layer 3 and 4 traffic. Refer to Defining Actions Using a Layer 3/4 Policy Map for more information.
-
Activate the actions on an interface. Refer to Applying a Layer 3/4 Policy to an Interface Using a Service Policy for more information.
Configure the P2P and IM Traffic Blocking
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup:
PIX/ASA 7.0 and 7.1 Configuration
Block the P2P & IM Traffic Configuration for PIX/ASA 7.0 and 7.1 |
---|
CiscoASA#show run |
Refer to the Configuring an HTTP Map for Additional Inspection Control section of the Cisco Security Appliance Command Line Configuration Guide for more information about the http map command and various parameters associated with it.
PIX/ASA 7.2 and Later Configuration
Note: The http-map command is deprecated from software version 7.2 and later. Therefore, you need to use the policy-map type inspect im command in order to block the IM traffic.
Block the P2P & IM Traffic Configuration for PIX/ASA 7.2 and Later |
---|
CiscoASA#show running-config |
List of built-in regular expressions |
---|
regex _default_GoToMyPC-tunnel "machinekey" |
PIX/ASA 7.2 and Later: Allow the Two Hosts to Use the IM Traffic
This section uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. These are RFC 1918 addresses, which have been used in a lab environment.
If you want to allow the IM traffic from the specific number of the hosts, then you need to complete this configuration as shown. In this example, the two hosts 10.1.1.5 and 10.1.1.10 from the inside network are allowed to use the IM applications such as MSN Messenger and Yahoo Messenger. However, the IM traffic from other hosts is still not allowed.
IM Traffic Configuration for PIX/ASA 7.2 and Later to Allow Two Hosts |
---|
CiscoASA#show running-config |
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
-
show running-config http-map—Shows the HTTP maps that have been configured.
CiscoASA#show running-config http-map http-policy
!
http-map http-policy
content-length min 100 max 2000 action reset log
content-type-verification match-req-rsp reset log
max-header-length request bytes 100 action log reset
max-uri-length 100 action reset log
! -
show running-config policy-map—Displays all the policy-map configurations as well as the default policy-map configuration.
CiscoASA#show running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map imdrop
class imblock
inspect im impolicy
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcpYou can also use the options in this command as shown here:
show running-config [all] policy-map [policy_map_name |
type inspect [protocol]]CiscoASA#show running-config policy-map type inspect im
!
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
! -
show running-config class-map—Displays the information about the class map configuration.
CiscoASA#show running-config class-map
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any -
show running-config service-policy—Displays all currently running service policy configurations.
CiscoASA#show running-config service-policy
service-policy global_policy global
service-policy imdrop interface outside -
show running-config access-list—Displays the access-list configuration that is running on the security appliance.
CiscoASA#show running-config access-list
access-list 101 extended deny ip host 10.1.1.5 any
access-list 101 extended deny ip host 10.1.1.10 any
access-list 101 extended permit ip any any
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
-
debug im—Shows the debug messages for IM traffic.
-
show service-policy—Displays the configured service policies.
CiscoASA#show service-policy interface outside
Interface outside:
Service-policy: imdrop
Class-map: imblock
Inspect: im impolicy, packet 0, drop 0, reset-drop 0 -
show access-list—Displays the counters for an access list.
CiscoASA#show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 3 elements
access-list 101 line 1 extended deny ip host 10.1.1.5 any (hitcnt=0) 0x7ef4dfbc
access-list 101 line 2 extended deny ip host 10.1.1.10 any (hitcnt=0) 0x32a50197
access-list 101 line 3 extended permit ip any any (hitcnt=0) 0x28676dfa