Access-Lists to block internet abuse

Hi we've got two sites connected through site to site vpn's and we believe there is a large amount of p2p file sharing going on which may be using up precious bandwidth resulting in slow vpn tunnel performance. we've got a content filtering system in place which is monitoring/blocking 80 and 443 traffic but we'd like to stop MSN, P2P apps etc..

So what i was hoping to do was to allow any traffic between the two sites, and only allow the following protocols to the internet 25,

1723, 80, 443 i'm guessing i need to use a deny statement somewhere and then permit the other individually, can anyone shed some light on which interface the access lists should be applied to and what the deny statement should say bearing in mind i need the vpn to be unrestricted.

my config is pasted below

thanks for your help

Paul

interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname firewall domain-name domain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list out-acl permit tcp any any eq ssh access-list out-acl permit icmp any any access-list out-acl permit ip 10.45.9.0 255.255.255.0 10.45.10.0

255.255.254.0 access-list out-acl permit tcp any any eq pptp access-list out-acl permit gre any any access-list out-acl permit tcp any host xxx.xxx.xxx.194 eq pptp access-list out-acl permit gre any host xxx.xxx.xxx.194 access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0 access-list 100 permit ip 10.45.9.0 255.255.255.0 10.45.12.0 255.255.255.0 access-list 100 permit ip 10.45.9.0 255.255.255.0 171.28.0.0 255.255.0.0 access-list 110 permit ip 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0 access-list 120 permit ip 10.45.9.0 255.255.255.0 171.28.0.0 255.255.0.0 access-list 130 permit ip 10.45.9.0 255.255.255.0 10.45.12.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.xxx.194 255.255.255.248 ip address inside 10.45.9.38 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3389 10.45.9.9 3389 netmask 255.255.255.25 5 0 0 static (inside,outside) tcp interface pptp 10.45.9.9 pptp netmask 255.255.255.25 5 0 0 access-group out-acl in interface outside route outside 0.0.0.0 0.0.0.0 84.21.128.193 1 timeout xlate 1193:00:00 timeout conn 1193:00:00 half-closed 1193:00:00 udp 2:00:00 rpc 1:20:00 h225 1:00 :00 timeout h323 0:40:00 mgcp 0:05:00 sip 4:00:00 sip_media 0:16:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:40:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local url-server (inside) vendor websense host 10.45.9.12 timeout 5 protocol TCP version 1 url-cache dst 100KB filter url except 10.45.10.0 255.255.254.0 10.45.9.0 255.255.255.0 filter url except 10.45.9.0 255.255.255.0 10.45.10.0 255.255.254.0 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 http server enable http 10.45.9.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection tcpmss 1300 sysopt connection permit-ipsec crypto ipsec transform-set atosset esp-3des esp-sha-hmac crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 110 crypto map newmap 10 set peer xxx.xxx.xxx.227 crypto map newmap 10 set transform-set atosset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 120 crypto map newmap 20 set peer xxx.xxx.xxx.21 crypto map newmap 20 set transform-set atosset crypto map newmap 30 ipsec-isakmp crypto map newmap 30 match address 130 crypto map newmap 30 set peer xxx.xxx.xxx.166 crypto map newmap 30 set transform-set atosset crypto map newmap interface outside isakmp enable outside isakmp key ******** address xxx.xxx.xxx.21 netmask 255.255.255.255 no- xauth no-co nfig-mode isakmp key ******** address xxx.xxx.xxx.166 netmask 255.255.255.255 no- xauth no-co nfig-mode isakmp key ******** address xxx.xxx.xxx.227 netmask 255.255.255.255 no- xauth no-con fig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 25 console timeout 0 terminal width 80
Reply to
paul_tomlin
Loading thread data ...

Hi,

check portforward.com to find which ports you should block for each P2P and then apply the access list closer to the source meaning it should be inbound to your inside interface. Usually ACL policies architecture consists of the rules: permit all, deny specific OR deny all, permit specific; depends on what suits you better.

hope this helps,

Nikos

Reply to
sek

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.