I was looking for comments on the problem below. What are the pros/cons of
each solution and is one preferred over the other ? Are there other
solutions?
Thanks,
Roger
Problem:
- Corporate policy dictates that MSN instant messenger is not allowed,
except if you are sourcing the traffic from the 10.0.0.0/8 or 136.0.0.0/8
networks.
- Configure the ASA policy that will drop and log unauthorized MSN
traffic.
Solution1:
access-list msn_acl extended deny ip 10.0.0.0 255.0.0.0 any
access-list msn_acl extended deny ip 136.0.0.0 255.0.0.0 any
access-list msn_acl extended permit ip any any
class-map type inspect im match-all msn_class
match protocol msn-im
class-map im_class
match access-list msn_acl
policy-map type inspect im msn_policy
parameters
class msn_class
drop log
policy-map global_policy
class im_class
inspect im msn_policy
Solution 2:
class-map type inspect im match-all MSN=FAIL
match protocol msn-im
match not ip-address 10.0.0.0 255.0.0.0
match not ip-address 136.0.0.0 255.0.0.0
policy-map type inspect im MSN-BLOCK
parameters
class MSN=FAIL
drop-connection log
policy-map global_policy
class inspection_default
inspect im MSN-BLOCK
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
