On April 4th 2006, Cisco released IOS version 12.4 (4) T. Cisco introduced much awaited Skype classification in NBAR . So now with simple policy you can block skype. Skype can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.
Example:-
NBAR configuration to drop Skype packets
class−map match−any p2p
match protocol skype
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command
ip nbar protocol-discovery.
This will enable nbar discovery on your router.
Use following command:-
show ip nbar protocol-discovery stats bit-rate top-n 10
it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.
we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
Tried to block the skype with reference to this article. But not able to block. Has this been tested by anyone…
Comment by sagar — August 18, 2006 @ 4:18 am
Sagar,
Yes, this is tested!
Which version of IOS were you using? I am not sure how you implemented? send me your topology and configuration.
PS:- mail id you mentioned during submitting your comment is invalid. I tried to send you a mail but it was bounced back.
-Sikandar
Comment by Sikandar — August 18, 2006 @ 10:21 am
Hi Sikandar,
IOS version I am using is 12.4.6(T3).
Hv implemented the same way what mentioned in this reference document on my Internet router.
I have corrected my mail ID(isc_sagar@yahoo.co.in). sorry for typo error.
Thanks,
Sagar
Comment by sagar — August 18, 2006 @ 11:06 am
Skype is tough to block, I would say one of the hardest to block. I would like to hear if you have had any success with it.
Comment by Cisco Forum — September 18, 2006 @ 7:02 pm
Tested! and its working perfectly fine!
Comment by Sikandar — September 19, 2006 @ 2:24 am
Sagar,
I tried to block with the reference above and it didnt work too, i’m using 12.4(4)T2. Can anyone help?
Comment by Kim — October 1, 2006 @ 7:07 pm
can you send me your topology and configuration of both pix and the router?
Comment by Sikandar — October 1, 2006 @ 7:15 pm
router: cisco 877, with DMVPN, using ios firewall
outbound interface: Tunnel 2
inbound interface: VLAN 1 (f0)
A portion of the config for your review…
————————————-
ip inspect name IOS_FW appfw IOS_FW
ip inspect name IOS_FW cuseeme
ip inspect name IOS_FW dns
ip inspect name IOS_FW ftp
ip inspect name IOS_FW h323
ip inspect name IOS_FW http urlfilter
ip inspect name IOS_FW https
ip inspect name IOS_FW icmp
ip inspect name IOS_FW imap
ip inspect name IOS_FW pop3
ip inspect name IOS_FW netshow
ip inspect name IOS_FW rcmd
ip inspect name IOS_FW realaudio
ip inspect name IOS_FW rtsp
ip inspect name IOS_FW esmtp
ip inspect name IOS_FW sqlnet
ip inspect name IOS_FW streamworks
ip inspect name IOS_FW tftp
ip inspect name IOS_FW udp
ip inspect name IOS_FW vdolive
ip nbar port-map custom-01 udp 1 65535
ip nbar port-map custom-01 tcp 1 65535
class-map match-any p2p_skype
match protocol skype
match protocol custom-01
appfw policy-name IOS_FW
application im msn
service default action reset
service text-chat action reset
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
alert on
Interface Tunnel 2
….
ip inspect IOS_FW out
ip access-group 101 in
service-policy input appfwp2p_IOS_FW
service-policy output appfwp2p_IOS_FW
interface Vlan1
description Connection to LAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 32 in
hold-queue 100 out
end
ip nat inside source list 10 pool NAT_POOL overload
ip route 0.0.0.0 0.0.0.0 Tunnel2
Extended IP access list 101
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip host 255.255.255.255 any
130 permit icmp any any echo-reply
140 permit icmp any any time-exceeded
150 permit icmp any any unreachable (21 matches)
160 deny ip any any (11176 matches)
Standard IP access list 10
10 permit 192.168.1.0, wildcard bits 0.0.0.255
Comment by Kim — October 1, 2006 @ 7:45 pm
from the configuration given above, i can’t see where you created a policy for blocking skype. i can only see a class map for sype but i can’t see in which policy yoy are applying that class map.
you need to create a policy and apply it to pix-facing interface.
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
Comment by Sikandar — October 1, 2006 @ 8:15 pm
sorry, i left it out in my previous posting… but it was in my router config.
policy-map appfwp2p_IOS_FW
class p2p_skype
drop
tried to apply the policy on either the tunnel interface and FastE but skype is still able to logon after i restart it.
interface FastEthernet0
description Connection to LAN
service-policy input appfwp2p_IOS_FW
service-policy output appfwp2p_IOS_FW
end
Comment by Kim — October 2, 2006 @ 3:05 am
Hi Kim
\
It will not work on tunnel interface as it is interface for creating tunnel betweern two end points. you need to think this way that on which direction you need to block your traffic.
I am not sure what your full config is but it seems that you have a split tunneling enable so even if you block skype at your end, because of your VPN tunnel it will be able to access from the other side.
As i told you earlier it would be great if you can send me full configuration of the both ends. I want to understand how exactly you are accessing your internet.
Comment by Sikandar — October 2, 2006 @ 6:33 am
now skype is blocked in dubai internet city as well, whether you use a vpn or not…
they use the software of this evil company lynanda.com , statisticians turned into censors…
do you have an idea how it works and how it could bypassed?
this is really anoying everyone in there…
any help appreciated…
Comment by Lapin — November 23, 2006 @ 9:03 am
Hi,
We are using NetScreen 50 Firewall in our network and need to block Skype. Our office is based in London.
Can anyone help me regarding this?
Regards
Sidd
Comment by Sidd — December 12, 2006 @ 1:46 pm
there is a widely used skype and P2P blocking solution in opensource.
check this link http://www.lynanda.com/products/software-for-corporations/traffic-filtering
I’ve heard that this solution is what companies use to forbid skype within their network. China is suspected to use this or a derivative
I think that providing that kind of censorship technology is in total contradiction with the opensource philosophy. Some people suspect Skype to be at the origin of this blocking initiative, for political reasons.
Comment by lapinmalin — December 25, 2006 @ 10:23 am
Comment by Anonymous — January 25, 2007 @ 1:01 am
lynanda, cisco/nbar 😦
we have test both, both are not reliable. after some minutes the skype client can establish a connection to the skype network.
skype seems to be unblockable
Comment by frustratedadmin — March 16, 2007 @ 10:05 am
I’m having the same kind of issues restricting most traffic. I am using NAT and NBAR, and I believe that NBAR is not recognising the correct ports after they have been changed for NAT. Perhaps this is the case for most people?
I’m pretty sure I read somewhere that Cisco routers look at the routing table, access-lists and class-maps/NBAR before doing any port translations, but this doesn’t seem to be the case for me.
If I allow ftp full outbound bandwidth, matched by NBAR on my WAN interface, (hoping this was BEFORE the translation to LAN) and then show “ip nbar proto ftp”, NBAR does not recognise any ftp traffic leaving or entering the WAN interface.
It seems most people here are doing this on some kind of internet router with NAT running. The only way I can get NBAR to recognise any specific traffic is to use port-forwarding. Bittorrent on port 6881 forwarded to a workstation DOES get seen by NBAR, same with web without port-forwarding, but everything else is showing up in the “unknown” category.
So long story short, if your workstation has the same inside port as the source outside port, NBAR seems to recognise it. If not, it’s “unknown” traffic on ports anywhere between 1 and 65000-odd.
Check your Skype/whatever local inside port on a Windows box from a DOS prompt with:
“netstat” (enter)
Comment by Steve — April 20, 2007 @ 4:32 am
bbw dating
This page contains some info about bbw dating
Trackback by bbw dating — May 31, 2007 @ 9:06 pm
I there,
I would like to block bittorrent p2p on my boader cisco router. My IOS version is:
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3e), RELEASE SOFTWARE (fc2)
It does does not comes with bittorrent protocol, is there any way I can upgrade my IOS so I can have a bittorrent protocol blocking capability on my router?
Comment by David Bila — July 9, 2007 @ 4:24 pm
Hi, I have a Linksys WRT300N roter and I want to know how I can set it up to block Skype and other websites I do not want users to visit?
Comment by Wil — July 11, 2007 @ 4:33 pm
Dear Sir
we are not able to block skypee in our router 2801
please
Comment by Desai — September 14, 2007 @ 6:57 am
Hi, I have a Cisco 2801 router and I want to know how I can set it up to block Skype and Google talk
Comment by Desai — September 14, 2007 @ 6:58 am
[…] habe mal etwas recherchiert – hier ein paar interessante Links, die Dir vielleicht weiterhelfen: How to block skype Cisco Tips & Tricks Spam Filter / Spam Firewall / Web Filter / Spam Appliance / Load Balancer / Content Filter / Email […]
Pingback by Skype und Firewall - Forum Fachinformatiker.de — October 30, 2007 @ 11:49 pm
can some 1 tell me how to block metacafe or p to p software on cisco 877 modem.
Comment by Faisal — November 20, 2007 @ 9:16 am
please send me the config of cisco 877 modem which block sites etc.
Comment by Faisal — November 20, 2007 @ 9:17 am
[…] skype for your business be sure to read this . Other informative articles on Skype are avilable here, here, here & […]
Pingback by NetFlow Analyzer Blogs » Blog Archive » Bell the Skype — November 27, 2007 @ 2:10 pm
I am using CISCO876. I’ve tried to block skype on all station in subnet class 100.100.100.0/24 except on ip address 100.100.100.100!
Can someone tell where is my mistake?
here is the conf:
!
!
class-map match-any MESS-TRAFFIC
match protocol skype
match protocol irc
class-map match-all MESS-ALOW
match class-map MESS-TRAFFIC
match access-group 120
!
!
policy-map DENY-MESSINGER
class MESS-ALOW
drop
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 100.100.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
no ip virtual-reassembly
ip tcp adjust-mss 1452
service-policy input DENY-MESSINGER
!
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group ANTISPOOFING in
ip verify unicast source reachable-via rx allow-default 101
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname XXXX
ppp chap password XXXXX
ppp pap sent-username XXXXX password XXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 100.100.100.100 29695 interface Dialer1 29695
ip nat inside source static tcp 100.100.100.100 29695 interface Dialer1 29695
ip nat inside source static udp 100.100.100.100 69 interface Dialer1 69
!
ip access-list extended ANTISPOOFING
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any any
!
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 101 permit udp any any eq bootpc
access-list 120 permit ip any any
access-list 120 deny ip host 100.100.100.100 any
!
when:
sh ip nbar port-map skype
There is no output?
when:
sh ip nbar protocol-discovery interface vlan 1 stats bit-rate
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
———————— ———————— ————————
telnet 3000 5000
http 4000 0
bittorrent 0 0
h323 0 0
secure-http 0 0
skype 0 0
dns 0 0
netbios 0 0
novadigm 0 0
socks 0 0
rtp 0 0
mgcp 0 0
xwindows 0 0
unknown 0 146000
Total 7000 151000
Skype is working on every PC station,not only on mine 100.100.100.100.
Help pls!
Thanx in advance!
email:
velevskib@hotmail.com
Peace
Bojan
Comment by Bojan — December 21, 2007 @ 2:12 pm
you have to change your SDM setting before applying policy routing in your layer 3 switch. Please refer to the following commands:
1) show sdm prefer
2) sdm prefer routing
Comment by fhy1 — January 15, 2008 @ 7:47 am
Actually I can identify Skype packets of all types, both TCP and UDP, with minimal processing overhead, guaranteed identification and blocking – good enough even for the largest ISPs. Per packet overhead is negligible. I wonder if my C source could be integrated into the IOS and how?
Comment by Sean O'Neil — January 29, 2008 @ 11:42 am
How can I block Skype using Cisco PIX 525?
Comment by a.salnikov — February 4, 2008 @ 11:46 am
I want to add this protocol on my nbar. which ports useing skype or p2p. how can i add?
Comment by bertolucci — February 8, 2008 @ 3:01 pm
Hi,
There is this company called Nevis Networks. They have had a pretty good success rate in blocking many kinds of P2P and IM applications.
Give them a dekko.
Regards
Amit
Comment by amit — June 4, 2008 @ 7:30 am
hi! how can block p2p (like utorrent and limewire) in my cisco 1841
router. pls. send me the config…. thanks…
Comment by atozz — June 6, 2008 @ 10:04 am
YOu shold get differen approach to achieve success with Skype
permit only protocols that you need and company needs from and deny everything else using nbar if you like you can police skype traffik to something very low or put this traffic on scavenger class but you should have idea what cisco matches with nbar its only Skype 1 versions
that can be fingerprinted the newwest versions of Skypes are different and not getting matchet by nbar :))
Comment by dr.X — September 25, 2008 @ 9:30 am
hi.. im using cisco firewall PIX 525 can u send me pls. how to block my P2P limewire …
Thanks.
Comment by exit — October 7, 2008 @ 7:40 am
hi.. im using cisco firewall PIX 525 can u send me pls. how to block my P2P limewire …
email:jul31_icc@yahoo.com
Thanks.
Comment by exit — October 7, 2008 @ 7:41 am
Blocking skype isn’t working for me.
I get “Message not delivered” in skype, then 3sec later the box will go away and say delivered.
My Config:
c3845-adventerprisek9-mz.124-9.T2.bin
class-map match-any p2p
match protocol skype
match protocol gnutella
match protocol irc
match protocol kazaa2
match protocol edonkey
!
policy−map block−p2p
class p2p
drop
!
interface FastEthernet2/0
description TO PIX
service-policy input block-p2p
It didn’t work, so I added this command and still didn’t block skpe.
interface FastEthernet2/0
service-policy output block-p2p
“show ip nbar port” does not have skpe mapped to a port? What are the ports for skpe so I can map it myself?
3845#sh ip nbar port
port-map bgp udp 179
port-map bgp tcp 179
port-map bittorrent tcp 6881 6882 6883 6884 6885 6886 6887 6888 6889
port-map citrix udp 1604
port-map citrix tcp 1494
port-map cuseeme udp 7648 7649 24032
port-map cuseeme tcp 7648 7649
port-map dhcp udp 67 68
port-map directconnect tcp 411 412 413
port-map dns udp 53
port-map dns tcp 53
port-map edonkey tcp 4662
port-map exchange tcp 135
port-map fasttrack tcp 1214
port-map finger tcp 79
port-map ftp tcp 21
port-map gnutella udp 6346 6347 6348
port-map gnutella tcp 6346 6347 6348 6349 6355 5634
port-map gopher udp 70
port-map gopher tcp 70
port-map h323 udp 1300 1718 1719 1720 11720
port-map h323 tcp 1300 1718 1719 1720 11000 – 11999
port-map http tcp 80
port-map imap udp 143 220
port-map imap tcp 143 220
port-map irc udp 194
port-map irc tcp 194
port-map kerberos udp 88 749
port-map kerberos tcp 88 749
port-map l2tp udp 1701
port-map ldap udp 389
port-map ldap tcp 389
port-map mgcp udp 2427 2727
port-map mgcp tcp 2427 2428 2727
port-map netbios udp 137 138
port-map netbios tcp 137 139
port-map netshow tcp 1755
port-map nfs udp 2049
port-map nfs tcp 2049
port-map nntp udp 119
port-map nntp tcp 119
port-map notes udp 1352
port-map notes tcp 1352
port-map novadigm udp 3460 3461 3462 3463 3464 3465
port-map novadigm tcp 3460 3461 3462 3463 3464 3465
port-map ntp udp 123
port-map ntp tcp 123
port-map pcanywhere udp 22 5632
port-map pcanywhere tcp 65301 5631
port-map pop3 udp 110
port-map pop3 tcp 110
port-map pptp tcp 1723
port-map printer udp 515
port-map printer tcp 515
port-map rcmd tcp 512 513 514
port-map rip udp 520
port-map rsvp udp 1698 1699
port-map rtsp tcp 554
port-map secure-ftp tcp 990
port-map secure-http tcp 443
port-map secure-imap udp 585 993
port-map secure-imap tcp 585 993
port-map secure-irc udp 994
port-map secure-irc tcp 994
port-map secure-ldap udp 636
port-map secure-ldap tcp 636
port-map secure-nntp udp 563
port-map secure-nntp tcp 563
port-map secure-pop3 udp 995
port-map secure-pop3 tcp 995
port-map secure-telnet tcp 992
port-map sip udp 5060
port-map sip tcp 5060
port-map skinny tcp 2000 2001 2002
port-map smtp tcp 25
port-map snmp udp 161 162
port-map snmp tcp 161 162
port-map socks tcp 1080
port-map sqlnet tcp 1521
port-map sqlserver tcp 1433
port-map ssh tcp 22
port-map streamwork udp 1558
port-map sunrpc udp 111
port-map sunrpc tcp 111
port-map syslog udp 514
port-map telnet tcp 23
port-map tftp udp 69
port-map vdolive tcp 7000
port-map winmx tcp 6699
port-map xwindows tcp 6000 6001 6002 6003
Any suggestions or does nbar not work for skype?
Comment by IT Girl — December 23, 2008 @ 12:00 am
thanks guys, did help on a setup 😉
Comment by gazduire web — March 14, 2009 @ 6:36 pm
Hi guys, just wanted to drop a line and say that newer versions of Skype will be tracked by nbar under enhancement request CSCsg19895, which you can periodically check on the Bug Toolkit @ cisco.com (this is noted as an enhancement bug since the protocol changed).
Comment by rtfmdude — March 26, 2009 @ 5:08 am
rtfmdude, the answer because Skype works with cisco IOS running NBAR is that Skype try to connect in the standards ports, and if it can´t connect encapsulates the traffic in http. Obviusly all the organization has the http port enabled and they can´t filter it, it´s the same that happen with p2p applications.
Regards
Comment by beacause — May 20, 2009 @ 2:28 am
How can i block MSN, Yahoo Messenger and Windows Live Mail ?
I have seen some of my emplyees using MSN Messenger, Yahoo Messenger and Windows Live Mail at work, which is not allowed ! Especially chatting.
Their Job is just to simply do browse, and are allowed to use Firefox & Safari Browser. But they use Movies downloading & chatting.
Do you know how can i have both these applications blocked on their Mac? We have Small network around 25 to 30 computers & we use most of the machine are Apple Mac latest. Network is on Linksys Cisco Router. i am having admin password & login name for Router.
Please Help me to block. Thank you
Comment by Prak — July 5, 2009 @ 8:22 am
Thanks to SSH and port forwarding, I can bypass my employer’s Skype filter.
This constant battle between users and policy enforcers is just a total waste of everybody’s time. There’s always a way around every attempt to block something.
Comment by Tobias — September 10, 2009 @ 1:26 am
Notify me of follow-up comments via email, thanks.
Comment by Heinz Waechter — September 21, 2009 @ 9:53 am
iwant to block google talk using class map so tell me the procedure
using asa
Comment by santosh — December 4, 2009 @ 3:08 pm
how to block yahoo messenger with time range in cisco router. Thank You
Comment by Ranto — December 8, 2009 @ 4:01 pm
Hey Heinz, my name is Ben and I’m with Cisco, I don’t know if the name Don Diep or Andrew Pham sounds familiar but we were shipping a router to you and it is in customs in Germany, please get in contact with the emails above so we can get this taken care of. If this does not sound like something that you are a part of then just ignore this message.
Comment by Benjamin Bu — June 16, 2010 @ 6:54 pm
mIRC indir, mIRC Bul, mIRC Dowloand
Comment by mIRC, mIRC Bul — July 17, 2010 @ 3:17 pm
toplu chat ,kurdish chat,toplu mic,mirc arsivi blogcu com
Comment by toplu chat — December 20, 2010 @ 4:10 pm
[…] The busiest day of the year was March 18th with 628 views. The most popular post that day was How to block skype. […]
Pingback by 2010 in review « Cisco Tips & Tricks — January 2, 2011 @ 6:55 am
[…] How to block skype – Cisco Tips & Tricks. This entry was posted in NBAR and tagged nbar, skype. Bookmark the permalink. ← PVST+ Explained НравитсяBe the first to like this post. […]
Pingback by How to block skype – Cisco Tips & Tricks | Avesyn's Blog — January 12, 2011 @ 2:14 am
[…] How to block skype « Cisco Tips & Tricks. LD_AddCustomAttr("AdOpt", "1"); LD_AddCustomAttr("Origin", "other"); […]
Pingback by How to block skype on a Cisco Router | x443 — October 22, 2011 @ 3:07 pm
Awesome post.Really thank you! Keep writing.
Comment by Russell Salvatore — February 7, 2012 @ 5:53 am
Wanted to drop a remark and let you know your Feed is not functioning today. I tried adding it to my Yahoo reader account but got absolutely nothing.
Comment by site — May 26, 2012 @ 8:47 am
You actually make it seem so easy with your presentation but I find this matter to be really
something which I think I would never understand.
It seems too complex and extremely broad for me.
I am looking forward for your next post, I will try to get the hang of it!
Comment by bad relationship — April 19, 2013 @ 12:12 am
Fastidious response in return of this issue with genuine arguments and describing everything on the topic of that.
Comment by Kirsten — May 15, 2013 @ 9:52 am
Hello to all, it’s genuinely a nice for me to go to see this web site, it includes important Information.
Comment by Roderick — June 18, 2013 @ 11:37 pm
) Find someone who’s already confident in that area and copy them. This cannot be stopped as people get many movies a single cd or dvd besides having the ability to play it over and over. That covers everything for this bit torrent file sharing help guide bit torrent file sharing.
Comment by tpbunblocker.com — July 2, 2013 @ 10:30 pm
I’m not sure where you are getting your information,
but great topic. I needs to spend some time learning more
or understanding more. Thanks for magnificent info I was looking for this
info for my mission.
Comment by Http://Phelps4President.Us — September 6, 2014 @ 1:26 am
Having read this I thought it was really informative.
I appreciate you taking the time and effort to put this short article together.
I once again find myself personally spending a lot of time both reading and commenting.
But so what, it was still worthwhile!
Comment by online gambling — September 30, 2014 @ 2:11 pm
Useful information. Fortunate me I discovered your website unintentionally, and I’m surprised why this
accident did not came about in advance! I bookmarked it.
Comment by Cisco 812 CiFi Router — October 14, 2014 @ 9:23 pm
[…] How to block skype | Cisco Tips & Tricks – Jun 07, 2006 · Tried to block the skype with reference to this article. But not able to block. Has this been tested by anyone… Comment by sagar — August 18, 2006 @ 4 …… […]
Pingback by How To Fix Skype Error Invalid Port in Windows — January 7, 2015 @ 5:28 am
medical marijuana clinic
How to block skype | Cisco Tips & Tricks
Trackback by medical marijuana clinic — March 26, 2015 @ 7:32 am