Hi folks, If one could regularly parse the google docs document programmatically, which I'm pretty sure it's supposed to be, one could generate an IP list & feed it into a routing process (like bird) and peer in one's own bogon list to a null route table.
Sure, that's cheating a bit as it'd need some resource outside the ASA to feed it (or more likely the router nearest it), but it has the advantage of being maintainable outside trying to generate & refresh an acl on the ASA. Remember to add logic to prevent foot-cannoning your own address space (and sending a warning if it were to have occurred). Best Regards -- ian Sent from my phone, please excuse brevity and/or misspelling. ________________________________ From: Chuck Church<mailto:[email protected]> Sent: 19/02/2015 03:22 To: 'Mohamed Nagy'<mailto:[email protected]>; 'Nick Hilliard'<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA I’ve never dealt with Ultrasurf before (nor heard of it), but a quick google search lists a lot of methods to try to block it. Everything from blocking google docs document that lists all proxies to blocking the proxies themselves. Probably gonna be a lot of work blocking all those IPs, I’m guessing there are 100s of them (maybe thousands). If you control the client workstations, might be easier to run a workstation software inventory program to catch the software. Chuck From: Mohamed Nagy [mailto:[email protected]] Sent: Wednesday, February 18, 2015 7:09 PM To: Nick Hilliard Cc: Chuck Church; [email protected] Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA Yes i cannot block all https port it will be Catastrophic in my network is there another solution's from asa ?? On Wed, Feb 18, 2015 at 7:06 PM, Nick Hilliard <[email protected] <mailto:[email protected]> > wrote: On 18/02/2015 16:53, Chuck Church wrote: > That will technically accomplish the requested goal. There may be a bunch > of side effects though. yes, it will block all https. This is what happens when you try to block a VPN system which was explicitly designed to be difficult to block. The real answer to the question is that this application cannot be blocked with an ASA. The OP will need to buy very expensive DPI hardware to guess what sort of port 443 traffic is https and what sort is VPN traffic. Nick _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
