Cisco People This is how u block Messenger access on a PIX firewall and it works Some might ask why not just block all and permit the other, and this is the way I would like to do it one day, But to encounter the least amount of down time I chose to apply in this fashion.
To block chat programs, simply use access-list on PIX. Some of the common chat programs use following ports **********common chat ports********** tcp 6667 (irc) 6660- 6670 (the default being 6667). tcp 6665-6669 (common IRC) tcp 5190 (aol) tcp 5190, dyn >=1024 (aol ICQ) tcp/udp 5190-5193 (aol) tcp 1863 (msn) tcp/udp 4020 (ichat) tcp 5000-5001 and udp 5000-5010 (Yahoo voice chat) tcp 5050 (Yahoo messages) tcp 5100 (Yahoo Webcams) Below you can get the config for the pix access-list acl_inside deny tcp any any eq aol access-list acl_inside deny tcp any any eq 1024 access-list acl_inside deny tcp any any eq 1863 access-list acl_inside deny tcp any any eq 4020 access-list acl_inside deny tcp any any eq 5050 access-list acl_inside deny tcp any any eq 5100 access-list acl_inside deny udp any any eq 4020 access-list acl_inside deny tcp any any range 6665 6669 access-list acl_inside deny udp any any range 5190 5193 access-list acl_inside deny tcp any any range 6660 6670 access-list acl_inside deny tcp any any range 5000 5001 access-list acl_inside permit tcp any any Hope this helps someone Thanks Rob -----Original Message----- From: Mears, Rob Sent: Monday, June 10, 2002 8:11 AM To: [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] Very well Thanks Rob -----Original Message----- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 2:25 PM To: Mears, Rob; [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -----Original Message----- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46207&t=46013 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
