Khoa Pham's Tech Blog

Blocking Google Talk (Or any other Internet service)

December 12th, 2012 Comments off

A quick search we can easily see that Google Talk runs on 4 servers and uses 4 ports.
1. Connect to the Cisco ASA, and go to configure terminal mode.
2. Lets name our four Google Talkservers.

ASA-FW(config)# name 216.239.37.125 Google-Talk-Server-1
ASA-FW(config)# name 72.14.253.125 Google-Talk-Server-2
ASA-FW(config)# name 72.14.217.189 Google-Talk-Server-3
ASA-FW(config)# name 209.85.137.125 Google-Talk-Server-4

ASA-FW(config)# name 216.239.37.125 Google-Talk-Server-1

ASA-FW(config)# name 72.14.253.125 Google-Talk-Server-2

ASA-FW(config)# name 72.14.217.189 Google-Talk-Server-3

ASA-FW(config)# name 209.85.137.125 Google-Talk-Server-4

3. Then lets create a group for those servers.

ASA-FW(config)# object-group network Google-Talk-Servers
ASA-FW(config-network-object-group)# network-object host 216.239.37.125
ASA-FW(config-network-object-group)# network-object host 72.14.253.125
ASA-FW(config-network-object-group)# network-object host 72.14.217.189
ASA-FW(config-network-object-group)# network-object host 209.85.137.125

ASA-FW(config)# object-group network Google-Talk-Servers

ASA-FW(config-network-object-group)# network-object host 216.239.37.125

ASA-FW(config-network-object-group)# network-object host 72.14.253.125

ASA-FW(config-network-object-group)# network-object host 72.14.217.189

ASA-FW(config-network-object-group)# network-object host 209.85.137.125

4. And then a group for the ports we want to block.

ASA-FW(config-network-object-group)# object-group service Google-Talk-Ports tcp
ASA-FW(config-service-object-group)# port-object eq 5222
ASA-FW(config-service-object-group)# port-object eq 5223
ASA-FW(config-service-object-group)# port-object eq https
ASA-FW(config-service-object-group)# port-object eq www

ASA-FW(config-network-object-group)# object-group service Google-Talk-Ports tcp

ASA-FW(config-service-object-group)# port-object eq 5222

ASA-FW(config-service-object-group)# port-object eq 5223

ASA-FW(config-service-object-group)# port-object eq https

ASA-FW(config-service-object-group)# port-object eq www

5. To tie it all together we can simply add one ACL.

ASA-FW(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports

1	ASA-FW(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports

Note: This assumes you have an ACL called “outbound” thats applied to your outbound traffic, yours may have a different name, to find out issue a “show run access-group” command like so, your outbound ACL will be allied “in interface inside”. If yours is called something different then change the command above accordingly. If you don’t have one at all skip to step 6.

ASA-FW(config)# show run access-group
access-group outbound in interface inside
access-group inbound in interface outside
ASA-FW(config)#

ASA-FW(config)# show run access-group

access-group outbound in interface inside

access-group inbound in interface outside

ASA-FW(config)#

6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. and AFTER you have carried out step 5.

ASA-FW(config)# access-group outbound in interface inside
ASA-FW(config)# access-list outbound permit ip any any

1 2	ASA-FW(config)# access-group outbound in interface inside ASA-FW(config)# access-list outbound permit ip any any

Categories: Networking

Archive

Blocking Google Talk (Or any other Internet service)

Random Posts

Archives

Categories