Cisco 5500 Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall

Blocking Peer-to-Peer File Sharing Programs with the PIX Firewall

Introduction This document demonstrates how to (attempt to) block the most common peer-to-peer (P2P) file sharing programs with the PIX Firewall. If the application cannot effectively be blocked with the PIX, Cisco IOS® Network-Based Application Recognition (NBAR) configurations are included that can be configured on any Cisco router between the source host and the Internet.

Important Note: Due to the nature of the content this document assists in blocking, Cisco is unable to block individual server addresses. Instead, Cisco recommends that you block address ranges in order to ensure you block all possible servers for each of the listed programs. The result of this can be that you block access to legitimate services. If this is the case, you need to add statements to the configuration that permit these individual services. Contact Cisco Technical Support if you have any difficulty.

Prerequisites Requirements There are no specific requirements for this document.

Components Used These configurations were tested with the use of these PIX software and hardware versions, although they are expected to work on any hardware and software revision:

Cisco PIX Firewall 501Cisco PIX Firewall Software version 6.3(3)Cisco IOS Software Release 12.2(13)TThese configurations were tested with the use of these P2P software versions:

Blubster version 2.5eDonkey version 0.51IMesh version 4.2 build 137KazaaLite version 2.4.3LimeWire version 3.6.6Morpheus version 3.4The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions.

PIX Configuration interface ethernet0 10baset interface ethernet1 10full ip address outside dhcp setroute ip address inside 192.168.1.1 255.255.255.0 global (outside) 1 interface nat (inside) 1 0 0 http server enable http 192.168.1.0 255.255.255.0 inside dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd auto_config dhcpd enable inside pdm logging informational timeout xlate 0:05:00