Can I block MSN Messenger from PIX or Router?
Thanks.
Can I block MSN Messenger from PIX or Router?
Thanks.
In article , jaisol wrote: :Can I block MSN Messenger from PIX or Router?
There's a fellow that keeps posting near-illegible messages about PIXes, but some of his ideas are just crazy enough to work, so it's often worth checking first what he's already written on any given PIX topic.
To do that, go to groups.google.com, and in the search field stick in a few keywords and then narrow down the groups by adding group:comp.dcom.sys.cisco and select the weird guy's stuff by adding author:roberson
In this case, you'd end up with...
I do it using advance search before to post.
By example I found
Above link you can see keywords typed.
Your link is very useful. Thanks for help on more time.
In article , jaisol wrote: :I do it using advance search before to post.
:By example I found :[...] ?q=block+host+pix+how+telnet+group:comp.dcom.sys.cisco
That's a little over-specific -- you were asking there how to use telnet to the PIX to block hosts, but information about blocking specific services such as MSN is usually given in messages that don't specifically talk about the way you get to the PIX to do the reconfiguration. Telnet to a PIX is less common than ssh or PDM. PDM because it has the graphical interface; ssh because telnet is "in the clear" and ssh is encrypted, and you usually don't want people on your network to be able to sniff your PIX passwords. Also, you can't telnet to the PIX from "outside", unless you have set up a VPN, but you can ssh from "outside" [provided you've enabled that.]
After applying your recommendation an IP address continues connecting to host blocked. I tried too including blocking host in access-list 102 ...
Maybe some commands secuence at conf term could be the reason.
sh ru: ... object-group service MSN_Messenger_tcp tcp description MSN Messenger tries to use these ports port-object eq www port-object eq 1863 port-object eq 7001 object-group network MSN_Messenger_hosts description hosts that MSN Messenger lives on network-object 65.54.195.0 255.255.255.0 network-object 65.54.225.0 255.255.255.0 network-object 65.54.226.0 255.255.254.0 network-object 65.54.228.0 255.255.254.0 network-object host 65.54.240.61 network-object host 65.54.240.62 network-object 207.46.104.0 255.255.252.0 network-object 207.46.108.0 255.255.252.0 network-object 207.68.171.0 255.255.255.0 network-object host 207.46.110.35 network-object 207.46.110.0 255.255.255.0 network-object 207.68.178.0 255.255.255.0 network-object host 207.68.178.61 network-object host 207.46.110.21 object-group network MSN_hotmail_hosts description hosts that
After run show con local 10.195.190.74 appears: TCP out 207.68.178.61:80 in 10.195.190.74:3256 idle 0:04:05 Bytes 1147 flags UIO TCP out 207.46.110.35:80 in 10.195.190.74:3252 idle 0:00:17 Bytes 15843 flags UIO
What am I doing wrong?
Thanks again.
In article , jaisol wrote: :After applying your recommendation an IP address continues connecting :to host blocked.
:access-list 100 permit ip 10.195.190.0 255.255.255.240 any :access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www
All the 'eq www' and below statements are redundant, as you are already permitting all traffic from 10.195.190/24 to -everywhere-. The 'deny' statements will not have any effect either, as you start by permitting everything.
:access-list 102 deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp :access-list 102 deny tcp any object-group MSN_hotmail_hosts
:access-list 101 deny ip any host 207.46.110.35
:What am I doing wrong?
You have 3 access lists but only two interfaces, so we do not know which access list is applied to which interface. What are your 'access-group' statements?
I always have believed I should to define a entery world (permit) and from this define a subworld (deny).
Suppose this: I have not some deny statement configured no access-list 100 permit ip 10.195.190.0 255.255.255.240 any no access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www Should this allow navegation (www) on 10.195.190/24 ?
I test with no access-list 100 permit ip 10.195.190.0 255.255.255.240 any no access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www and the results are not internet navigation for 10.195.190/24 against MSN Messenger that did work then I have to placed again where they were and intenet navigation come back.
What should I have to do?
object-group MSN_Messenger_tcp
I have changed 101/102 access-lists to access-list 100
access-group 100 in interface inside
The MSN Messenger blocking is driving me crazy!!!!!!!!
Any guide will be very appreciated. THANKS AGAIN.
In article , jaisol wrote: :I always have believed I should to define a entery world (permit) and :from this define a subworld (deny).
Not on the PIX!
The PIX processes ACL entries from beginning to end, and the first one that matches is *the* answer and it stops looking.
The situation was different with the older "permit/deny/except" verbs, but those have been gone for awhile.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.