阻止 PIX/ASA 7.2 及更高版本的 P2P 和 IM 流量配置

李东杰 · ‎10-26-2017

客户有一台 ASA5516-FPWR-K9 想在防火墙上禁用掉P2P，小弟因为之前没有做过所以无从下手。去官网找5516的配置指南也没有找到，倒是在官网找到了一份类似配置案例的文档。因为之前没有做过不敢贸然在运行环境中尝试，小弟把配置粘在下面了希望有大神能给掌上几眼。原文档链接：https://www.cisco.com/c/zh_cn/support/docs/security/asa-5500-x-series-next-generation-firewalls/98684-pixasa-imblock-config.html?dtid=osscdc000357
CiscoASA#show running-config: Saved:ASA Version 8.0(2)!hostname pixfirewallenable password 8Ry2YjIyt7RRXU24 encryptednames!--- Output Suppressedclass-map inspection_default match default-inspection-trafficclass-map imblock match any!--- The class map "imblock" matches !--- all kinds of traffic.class-map P2P match port tcp eq www!--- The class map "P2P" matches !--- http traffic.!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map type inspect im impolicy parameters match protocol msn-im yahoo-im drop-connection!--- The policy map "impolicy" drops the IM !--- traffic such as msn-im and yahoo-im .policy-map type inspect http P2P_HTTP parameters match request uri regex _default_gator drop-connection log match request uri regex _default_x-kazaa-network drop-connection log!--- The policy map "P2P_HTTP" drops the P2P !--- traffic that matches the some built-in reg exp's. policy-map IM_P2P class imblock inspect im impolicy class P2P inspect http P2P_HTTP !--- The policy map "IM_P2P" drops the !--- IM traffic matched by the class map "imblock" as well as P2P traffic matched by class map "P2P".policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy globalservice-policy IM_P2P interface inside!--- Apply the policy map "IM_P2P" !--- to the inside interface.prompt hostname contextCryptochecksum:d41d8cd98f00b204e9800998ecf8427e: endCiscoASA#

YilinChen · ‎10-26-2017

建议看英文版本，中文这翻译真没法看。
Introduction
This document describes how to configure the Cisco Security Appliances PIX/ASA using Modular Policy Framework (MPF) in order to block the Peer-to-Peer (P2P) and Instant Messaging (IM), such as MSN Messenger and Yahoo Messenger, traffic from the inside network to the Internet. Also, this document provides information on how to configure the PIX/ASA in order to allow the two hosts to use IM applications while the rest of the hosts remain blocked.
Note: The ASA can block P2P type applications only if P2P traffic is being tunneled through HTTP. Also, ASA can drop P2P traffic if it is tunneled through HTTP.

李东杰 · ‎10-29-2017

介绍
本文档描述了如何使用模块化策略框架（MPF）配置思科安全设备PIX / ASA，以阻止对等（P2P）和即时消息（IM），如MSN Messenger和Yahoo Messenger，流量来自内网到互联网。此外，本文档还提供了有关如何配置PIX / ASA的信息，以便允许两台主机使用IM应用程序，而其余的主机仍然被阻止。
注意：只有通过HTTP隧道传输P2P流量时，ASA才能阻止P2P类型的应用。此外，如果通过HTTP隧道传输，ASA可以删除P2P流量。

Yanli Sun · ‎11-13-2017

赞一下楼主的翻译。
所以您的问题是解决了吗？如果有解决，请记得标注最佳答案哦。