A question that I see asked a lot is how to stop users from accessing IM applications such as Yahoo, Hotmail and Aol. It just so happens that from IOS 12.4(4)T firewall release features have been introduced to INSPECT for and control this type of traffic specifically for these three applications.
Instant messenger traffic enforcement can be set up as follows: (this example is for MSN)
(Please ensure you router is capable of DNS lookups if you are using any FQDN’s as below)
- Use the appfw command to define a policy:
# appfw policy-name my-im-policy
- Once in appfw mode define the application:
# application im messenger
- In application mode we can allocate an action to take, multiple servers can be defined here:
#server permit name messenger.hotmail.com
At this point we can use the deny statement to blanket deny all MSN activity, but here I want to demonstrate more granular control so it is allowed.
- Still in application mode we can define the action to take on the traffic, this can afftect the text chat only or other activities (default keyword). Here we can allow or reset (drop) the connection:
# service text-chat|default action allow|reset
- Create the inspect policy as per normal and reference the appfw policy:
#ip inspect name example appfw my-im-policy
- IMPORTANT : Block Misuse of http which will stop IM applications trying to tunnel through. This is done by defining the http application back in appfw mode:
# application http
# port-misuse im reset
- attach the inspect code to the interface whilst in interface mode:
# ip inspect example in
IM application servers are known to use a number of IP addresses mapped to a single domain name for load balancing and by issuing the ‘server permit’ command we are telling IOS to do consistent DNS lookups to check for the latest mappings. To see exactly what your router has got from its lookups issue the following command:
#show appfw dns cache
Please see the following article at Cisco.com for any further information such as logging violations etc: http://www.conft.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t4/ht_fw_im.htm
Entries (RSS)
January 27th, 2008 at 12:33 am
BTW 12.4(15)T2 has now been released. changed are many:
http://www.cisco.com/en/US/products/ps6441/prod_release_note09186a00807ce961.html#wp1985810
January 27th, 2008 at 8:19 pm
12.4(15)T3 now released. must be some issues with T2 since the very quick release of T3 now.
June 7th, 2010 at 5:25 pm
Great job! THANK YOU!