Tweet
Chặn YIM bằng ASA nhưng vẫn lọt
Chuyện là thế này:
Công ty Voi dùng ASA, Voi đã cấu hình để chặn IM và P2P theo hướng dẫn của Cisco. Từ đó tới giờ chặn rất tốt. Bỗng nhiên hôm nay Voi nghịch YIM thì phát hiện ra vẫn vào được mà chỉ cần 1 mẹo rất nhỏ.
Mong các thầy và các bạn giúp Voi giải quyết vấn đề này!
Yahoo! Messenger phiên bản mới nhất (phiên bản 9 cũng vậy)
Lựa chọn kết nối HTTP proxy ăn theo IE, nghĩa là IE kết nối thế nào thì YIM kết nối như vậy
Nhưng IE để mặc định, không dùng proxy hay socks nào!
Thế là YIM vào bình thường... Trời ơi, bó tay!!! :-O
Đây là cấu hình ASA của Voi, mong nhận được trợ giúp!!!
Trong cấu hình này Voi chặn MSN-YIM từ 7:00 đến 19:00.
Công ty Voi dùng ASA, Voi đã cấu hình để chặn IM và P2P theo hướng dẫn của Cisco. Từ đó tới giờ chặn rất tốt. Bỗng nhiên hôm nay Voi nghịch YIM thì phát hiện ra vẫn vào được mà chỉ cần 1 mẹo rất nhỏ.
Mong các thầy và các bạn giúp Voi giải quyết vấn đề này!
Yahoo! Messenger phiên bản mới nhất (phiên bản 9 cũng vậy)
Lựa chọn kết nối HTTP proxy ăn theo IE, nghĩa là IE kết nối thế nào thì YIM kết nối như vậy
Nhưng IE để mặc định, không dùng proxy hay socks nào!
Thế là YIM vào bình thường... Trời ơi, bó tay!!! :-O
Đây là cấu hình ASA của Voi, mong nhận được trợ giúp!!!
asa1# show run
: Saved
:
ASA Version 8.2(1)
!
hostname asa1
domain-name ngoisaovn.com
enable password ********** encrypted
passwd ********** encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
!
time-range deny-im
periodic weekdays 7:00 to 19:00
!
banner exec # Connected successfully! #
banner login # Access for Authorized users only. Please enter your username and password. #
banner motd # You have entered a secured system Authorized access only! #
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name ngoisaovn.com
access-list blockim extended permit ip any any time-range deny-im
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
filter activex 80 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
filter java 80 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 207.46.130.100 source outside prefer
ntp server 209.81.9.7 source outside prefer
webvpn
username convoi password ********** encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match access-list blockim
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
Cryptochecksum:9168ca28c1dc7c824ccc66ed3c165885
: end
: Saved
:
ASA Version 8.2(1)
!
hostname asa1
domain-name ngoisaovn.com
enable password ********** encrypted
passwd ********** encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
!
time-range deny-im
periodic weekdays 7:00 to 19:00
!
banner exec # Connected successfully! #
banner login # Access for Authorized users only. Please enter your username and password. #
banner motd # You have entered a secured system Authorized access only! #
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name ngoisaovn.com
access-list blockim extended permit ip any any time-range deny-im
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
filter activex 80 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
filter java 80 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 207.46.130.100 source outside prefer
ntp server 209.81.9.7 source outside prefer
webvpn
username convoi password ********** encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match access-list blockim
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
Cryptochecksum:9168ca28c1dc7c824ccc66ed3c165885
: end
Comment