Blocking MSN Messenger

Can I block MSN Messenger from PIX or Router?

Thanks.

Reply to
jaisol
Loading thread data ...

In article , jaisol wrote: :Can I block MSN Messenger from PIX or Router?

There's a fellow that keeps posting near-illegible messages about PIXes, but some of his ideas are just crazy enough to work, so it's often worth checking first what he's already written on any given PIX topic.

To do that, go to groups.google.com, and in the search field stick in a few keywords and then narrow down the groups by adding group:comp.dcom.sys.cisco and select the weird guy's stuff by adding author:roberson

In this case, you'd end up with...

formatting link

Reply to
Walter Roberson

I do it using advance search before to post.

By example I found

formatting link
... but MSN info was missed and it is out date.

Above link you can see keywords typed.

Your link is very useful. Thanks for help on more time.

Reply to
jaisol

In article , jaisol wrote: :I do it using advance search before to post.

:By example I found :[...] ?q=block+host+pix+how+telnet+group:comp.dcom.sys.cisco

That's a little over-specific -- you were asking there how to use telnet to the PIX to block hosts, but information about blocking specific services such as MSN is usually given in messages that don't specifically talk about the way you get to the PIX to do the reconfiguration. Telnet to a PIX is less common than ssh or PDM. PDM because it has the graphical interface; ssh because telnet is "in the clear" and ssh is encrypted, and you usually don't want people on your network to be able to sniff your PIX passwords. Also, you can't telnet to the PIX from "outside", unless you have set up a VPN, but you can ssh from "outside" [provided you've enabled that.]

Reply to
Walter Roberson

After applying your recommendation an IP address continues connecting to host blocked. I tried too including blocking host in access-list 102 ...

Maybe some commands secuence at conf term could be the reason.

sh ru: ... object-group service MSN_Messenger_tcp tcp description MSN Messenger tries to use these ports port-object eq www port-object eq 1863 port-object eq 7001 object-group network MSN_Messenger_hosts description hosts that MSN Messenger lives on network-object 65.54.195.0 255.255.255.0 network-object 65.54.225.0 255.255.255.0 network-object 65.54.226.0 255.255.254.0 network-object 65.54.228.0 255.255.254.0 network-object host 65.54.240.61 network-object host 65.54.240.62 network-object 207.46.104.0 255.255.252.0 network-object 207.46.108.0 255.255.252.0 network-object 207.68.171.0 255.255.255.0 network-object host 207.46.110.35 network-object 207.46.110.0 255.255.255.0 network-object 207.68.178.0 255.255.255.0 network-object host 207.68.178.61 network-object host 207.46.110.21 object-group network MSN_hotmail_hosts description hosts that

formatting link
(loginnet.passport.com) lives on network-object host 65.54.131.192 network-object host 65.54.140.158 network-object host 65.54.225.156 network-object host 65.54.225.241 network-object host 65.54.225.254 network-object host 65.54.226.246 network-object host 65.54.226.247 network-object host 65.54.226.248 network-object host 65.54.226.249 network-object host 65.54.228.250 network-object host 65.54.228.251 network-object host 65.54.225.251 network-object host 65.54.226.252 network-object host 65.54.226.254 network-object host 65.54.228.243 network-object host 65.54.228.244 network-object host 65.54.228.253 network-object host 65.54.229.248 network-object host 65.54.229.252 network-object host 65.54.229.253 network-object host 65.54.229.254 network-object host 66.59.149.199 network-object host 66.77.43.101 network-object host 207.68.171.232 network-object host 207.68.171.233 network-object host 207.68.172.239 network-object host 207.68.172.249 network-object host 207.68.172.245 network-object host 207.68.173.245 network-object host 207.68.173.246 access-list nonat permit ip 10.195.190.0 255.255.255.0 192.168.10.0

255.255.255.0 access-list 100 permit ip 10.195.190.0 255.255.255.240 any access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq https access-list 100 permit udp 10.195.190.0 255.255.255.0 any eq 443 access-list 100 permit udp 10.195.190.0 255.255.255.0 any eq domain access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq smtp access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq pop3 access-list 100 permit udp 10.195.190.0 255.255.255.0 any eq 6801 access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq 8000 access-list 100 permit udp 10.195.190.0 255.255.255.0 any eq 21000 access-list 100 permit udp 10.195.190.0 255.255.255.0 any eq 7000 access-list 100 permit ip 10.195.190.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 1791 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 1863 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6891 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6892 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6893 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6894 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6895 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6896 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6897 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6898 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6899 access-list 100 deny tcp 10.195.190.0 255.255.255.0 any eq 6900 access-list 100 deny ip any any access-list 102 deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp access-list 102 deny tcp any object-group MSN_hotmail_hosts access-list 101 deny ip any host 207.46.110.35 access-list 101 deny ip any host 207.68.178.61 access-list 101 deny ip any host 207.68.178.16 access-list 101 deny ip any host 64.4.36.250 access-list 101 deny ip any host 80.91.87.49 access-list 101 deny ip any host 80.91.87.40 access-list 101 deny ip any host 80.91.87.47 access-list 101 deny ip any host 65.54.211.62 access-list 101 deny ip any host 65.54.211.61 access-list 101 deny tcp any host 207.46.110.35

After run show con local 10.195.190.74 appears: TCP out 207.68.178.61:80 in 10.195.190.74:3256 idle 0:04:05 Bytes 1147 flags UIO TCP out 207.46.110.35:80 in 10.195.190.74:3252 idle 0:00:17 Bytes 15843 flags UIO

What am I doing wrong?

Thanks again.

Reply to
jaisol

In article , jaisol wrote: :After applying your recommendation an IP address continues connecting :to host blocked.

:access-list 100 permit ip 10.195.190.0 255.255.255.240 any :access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www

All the 'eq www' and below statements are redundant, as you are already permitting all traffic from 10.195.190/24 to -everywhere-. The 'deny' statements will not have any effect either, as you start by permitting everything.

:access-list 102 deny tcp any object-group MSN_Messenger_hosts object-group MSN_Messenger_tcp :access-list 102 deny tcp any object-group MSN_hotmail_hosts

:access-list 101 deny ip any host 207.46.110.35

:What am I doing wrong?

You have 3 access lists but only two interfaces, so we do not know which access list is applied to which interface. What are your 'access-group' statements?

Reply to
Walter Roberson

I always have believed I should to define a entery world (permit) and from this define a subworld (deny).

Suppose this: I have not some deny statement configured no access-list 100 permit ip 10.195.190.0 255.255.255.240 any no access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www Should this allow navegation (www) on 10.195.190/24 ?

I test with no access-list 100 permit ip 10.195.190.0 255.255.255.240 any no access-list 100 permit tcp 10.195.190.0 255.255.255.0 any eq www and the results are not internet navigation for 10.195.190/24 against MSN Messenger that did work then I have to placed again where they were and intenet navigation come back.

What should I have to do?

object-group MSN_Messenger_tcp

I have changed 101/102 access-lists to access-list 100

access-group 100 in interface inside

The MSN Messenger blocking is driving me crazy!!!!!!!!

Any guide will be very appreciated. THANKS AGAIN.

Reply to
jaisol

In article , jaisol wrote: :I always have believed I should to define a entery world (permit) and :from this define a subworld (deny).

Not on the PIX!

The PIX processes ACL entries from beginning to end, and the first one that matches is *the* answer and it stops looking.

The situation was different with the older "permit/deny/except" verbs, but those have been gone for awhile.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.