Blocking Google Talk (Or any other Internet service)
A quick search we can easily see that Google Talk runs on 4 servers and uses 4 ports.
1. Connect to the Cisco ASA, and go to configure terminal mode.
2. Lets name our four Google Talkservers.
1 2 3 4 |
ASA-FW(config)# name 216.239.37.125 Google-Talk-Server-1 ASA-FW(config)# name 72.14.253.125 Google-Talk-Server-2 ASA-FW(config)# name 72.14.217.189 Google-Talk-Server-3 ASA-FW(config)# name 209.85.137.125 Google-Talk-Server-4 |
3. Then lets create a group for those servers.
1 2 3 4 5 |
ASA-FW(config)# object-group network Google-Talk-Servers ASA-FW(config-network-object-group)# network-object host 216.239.37.125 ASA-FW(config-network-object-group)# network-object host 72.14.253.125 ASA-FW(config-network-object-group)# network-object host 72.14.217.189 ASA-FW(config-network-object-group)# network-object host 209.85.137.125 |
4. And then a group for the ports we want to block.
1 2 3 4 5 |
ASA-FW(config-network-object-group)# object-group service Google-Talk-Ports tcp ASA-FW(config-service-object-group)# port-object eq 5222 ASA-FW(config-service-object-group)# port-object eq 5223 ASA-FW(config-service-object-group)# port-object eq https ASA-FW(config-service-object-group)# port-object eq www |
5. To tie it all together we can simply add one ACL.
1 |
ASA-FW(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports |
Note: This assumes you have an ACL called “outbound” thats applied to your outbound traffic, yours may have a different name, to find out issue a “show run access-group” command like so, your outbound ACL will be allied “in interface inside”. If yours is called something different then change the command above accordingly. If you don’t have one at all skip to step 6.
1 2 3 4 |
ASA-FW(config)# show run access-group access-group outbound in interface inside access-group inbound in interface outside ASA-FW(config)# |
6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. and AFTER you have carried out step 5.
1 2 |
ASA-FW(config)# access-group outbound in interface inside ASA-FW(config)# access-list outbound permit ip any any |