Block IM Traffic on ASA
Ok so in a prior blog entry, I gave you my yahoo messenger ID and said you could communicate with me in real-time. I thought it only appropriate to also so you how you could deny IM traffic on the ASA without using a CSC module, IronPort Appliance or any other filtering software/tool. This functionality in natively built into the ASA since 7.2 code and it uses what is termed “deep packet inspection.” This deep packet inspection is configured on the ASA using the Modular Policy Framework (MPF). Now before we dive into the configuration aspects of this deep packet inspection, I think it’s appropriate for us to get some background information on the MPF because there has been some recent (& drastic) changes to the traditional configuration model of MPF.
The ASA’s MPF is based on the IOS MQC (Module QoS CLI) feature, which is the IOS command set to configure QoS. It provides you with the ability to define a unique policy to classify or police traffic on the ASA and these policies can be applied as needed to perform security actions on the ASA. You can configure the following features using MPF.
- TCP normalization, connection limits and timeouts
- QoS policing
- QoS priority queue
- Application inspection
- IPS inspection policy
- CSC inspection policy
- Create a class-map – This identifies the traffic to which you want to apply actions.
- Create a policy-map - Apply actions to the traffic.
- Create a service-policy - Activate the actions on an interface or at a global level.
Traditionally this allowed you to configure a layer 3 or 4 policy on the appliance where your class map could match upon things like an ACL, Port, DSCP, Flow ect; however with ASA 7.2 code a new structure of the MPF was released. This structure allows you to now configure a Layer 7 policy on the ASA and it uses the new “class-map type” command:
ciscoasa(config)# class-map type ?
configure mode commands/options:
inspect Configure a class-map of type inspect
management Configure a class-map of type Management
regex Configure a class-map of type REGEX
ciscoasa(config)# class-map type
This new structure gives you tremendous control of the traffic policy that traverses your firewall because you able to specify match criteria for example that:
- Permits or denies traffic to a certain website
- Permits or denies files extensions from traversing the firewall
- Ensure HTTP protocol conformance
Also introduced was a new policy-map whereby you embedded the layer 7 class map into the layer 7 policy map:
ciscoasa(config)# policy-map type ?
configure mode commands/options:
inspect Configure a policy-map of type inspect
ciscoasa(config)# policy-map type
With that in mind (there is a lot more to it but that is all we need to configure our IM policy) we are ready to start the configuration of the ASA to deny our IM traffic. First this thing we do is to open the ASDM and connect to the ASA in which you would like to implement this policy on, In my example I will be using ASDM version 6.0. We need to click on Configuration at the top of the screen then select Firewall -> Objects -> Class Maps -> Instant Messaging as shown below:
Next you will need to select “Add” from the upper right corner of the screen in order to setup the Layer 7 class map.
A new window will open. At the top of the window you need to define a name for your class map. In my case I named mine “Yahoo-Class” because I will be setting a policy that denies Yahoo Messenger traffic. I then define the description for the class map and define whether I want to “match-all” or “match-any.” In my case I define a match-all policy. After that I click on the “add” button located to the right of the screen to add the class map match criteria. Upon clicking add I am presented with a new screen as shown below:
As you can see I select my criteria as protocol and then click the “Yahoo Messenger” protocol. The ASA provides you a plethora of other choices however to define your match criteria by. These other choices are shown below:
So if you in fact want to match upon a certain service, like denying chat or file transfer, you can select “service” from the drop down menu and you are given the choice of selecting the services you want to permit or deny as shown below:
In my case I simply select protocol and yahoo messenger, after defining this criteria, I select “OK” and I am taken back to the class map screen:
I now need to go set the policy map in which I can embed the class map I just created…Now on the ASDM the policy map is actually found on the Configuration -> Objects -> Inspect Maps menu….so Inspect Map = Policy Map in ASDM. I now select Instance Messaging from the inspect map drop down menu:
and from here I select “add” on the right side of the window just like I did when I configured the class map:
After selecting “add” a new window appears and I have to define a name and a description for the Inspect Map. In my case I have named my Inspect Map “Yahoo-Policy-Map.” I now need to select “Add” from the right side of the screen to define or select the policy for this Inspect Map.
Now another screen appears and I have the choice of defining a single match policy right here from the Inspect Map config or selecting a multiple match pre-existing IM traffic class. This is shown below:
Notice here after I select the traffic match criteria I now have to select the action to be performed on the traffic that is matched. You can drop the traffic, reset the connection or simply log the traffic. If you drop or reset the traffic, you can also select if you want t log the traffic statistics as well. After configuring my policy, I then select “OK” and I am taken back to the policy map definition screen:
Finally I have to apply the Inspect Map/Policy Map to a Service Policy. Service Policies can be defined at a global level or at an interface level. Anything defined within an interface policy takes precedence over a policy defined at the global level. To do this I select Configuration -> Service Policy Rules:
Once you select the Service Policy Rules item a new window will open on the right hand side of the screen and you will be presented with all of your currently defined policies…In my case I’m using a pretty default config so I only have the “inspection_default” policy listed.
I now select “edit” from the top of the Service Policy configuration screen. This is shown above and highlighted. After I select “Edit” the Edit Service Policy Rule window appears and I select the third tab and then put a check mark next to “IM” and then select “Configure”
After I click “Configure” the Select IM Inspect Map windows appears and here is where I define the Inspect Map/Policy Map to bind to the Service Policy:
I select “Yahoo-Policy-Map” and then click “OK.” I am then taken back to the Edit Service Policy Rule window and it appears as follows:
Lastly I select “OK” and then select Apply at the Service Policy Rules window and the policy is now active. Now if you don’t use the ASDM and you only use CLI, the config to enable the same policy from the CLI is as follows:
class-map type inspect im match-all Yahoo-Class
description Class Map That Matches Yahoo Traffic
match protocol yahoo-im
policy-map type inspect im Yahoo-Policy-Map
description Inspect Map that calls class-map Yahoo-Class
class Yahoo-Class
drop-connection log
policy-map global_policy
class inspection_default
inspect im Yahoo-Policy-Map
Glad I just found your wordpress blog through Google.
Found just what I was looking for, thanks =)
Btw, wat plugins ...
This is a very good post. Thanks 
Addition: I made a research on that topic and the workaround is to decrease the TKIP rekeying timer to 120 ...
Very useful tips in this post. Thanks. I think I will implemented on my Firefox browser :) 
Hi Joe,
Regarding ASA redundancy & failover i understand that there are two levels:
1.Unit Level
2.Monitored interface level.
regarding monitored interface level, assuming ...
Thank you Rookie4life, I apologize for not posting that frequently lately but I've been busy with both personal and professional ...
Thanks for the video! Audio sounds fine to me. 
Comment by Rodrigo on 22 May 2008:
Hi Joe, thanks for the tip. I did it and work find, but I have a question, Can I configure this for some user or IP host, but not for others?, I mean block msn messenger only for a specific group.
best regards,
Rodrigo
Comment by Joe Harris on 24 May 2008:
Hi Rodrigo,
I’m going to yes off the top of my head, this could be done via the CLI by adding a match statement to the class-map that calls a ACL or by nesting another class-map in the policy-map that references an ACL. It’s a holiday weekend here in the States and I’m currently out of town for the weekend so I have no way of testing for sure whether or not this will work until after Monday. I’ll test when I get back to my rack and let you know after Monday.
Comment by Chris on 4 June 2008:
Hi Joe, this worked great for Yahoo, I would like to be able to block all the IM clients (AOL, MSN, Yahoo etc). I repeated the process that you outlined for MSN and it worked, but the thing is when I setup the service policy rule, edit it, choose IM - Edit - I see both the Yahoo and MSN but I am only able to choose one of them not both. Also there is not option for AIM (AOL IM). Could you help to guide us all on how to block all the IM communication using the ASA without the CSC Module?
Comment by Joe Harris on 5 June 2008:
Hi Chris,
I’m not sure I follow you. Are you referring to the Service Policy, the Inspect Map or the Class Map. Under the ‘Edit Service Policy Rule’ > ‘Rule Actions’ tab you can only add/delete the Inspect Map you are needing/wanting. If you navigate to Configuration > Firewall > Objects > Inspect Maps > Instant Messaging you should see a policy configured there. Click ‘Edit’ on the right hand side to edit the policy. This should bring up the ‘Edit Instance Messaging (IM) Inspect Map’ page. If you created a Class Map earlier you should should see it listed in the ‘Value’ section of the page. You can click ‘Edit’ to edit this Inspect Map….
This is where you can define the multiple protocol/service/ect type of map you would like. If you want to match just both YIM and MSN simply select ‘Single Match’ and select both protocols and click OK and apply your config. This will permit or deny (depending on your config) both protocols…However the Class Map method using the ‘Multiple Match’ radio selection more granularity. For instance if I edit my Class Map, can do the following inside the Class Map:
class-map type inspect im match-all IM-Traffic
description Class Map That Matches A Bunch Of Stuff
match protocol msn-im yahoo-im
match service voice-chat webcam
match login-name regex _default_GoToMyPC-tunnel
This gives me the ability to match both protocols and selectively allow or deny Voice-Chat and WebCam for both as well as limit the name used for logging into the service.
In your case you just need to select both protocols under the Class-Map > Instant Messaging tab.
Comment by quocle on 17 July 2008:
how to block yahoo from 12h to 13h by ASA? thanks!!!!
Comment by Joe Harris on 24 July 2008:
This could be done if you were allowed to match upon a time-based acl inside the class-map or policy-map however this is not allowed for a type inspect map. We have some newer features that are on the radar that will solve this issue so I’ll keep you posted
Comment by JB on 5 August 2008:
Is there a regular expression or anothe mechaism for blocking Google Talk; without actually blocking access to the Google website?
Comment by Joe Harris on 6 August 2008:
JB,
Google Talk uses tcp/5222. You could apply the following and it should work:
access-list inside_access_in deny tcp any any eq 5222
access-list inside_access_in permit ip any any
access-group inside_access_in interface outside
But you cannot today use AIC to block it only ACL.