On April 4th 2006, Cisco released IOS version 12.4 (4) T. Cisco introduced much awaited Skype classification in NBAR . So now with simple policy you can block skype. Skype can be blocked in a similar way as we use to block kazza,limewire and other p2p applications.
Example:-
NBAR configuration to drop Skype packets
class−map match−any p2p
match protocol skype
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
If you are unsure about the bandwidth eating applications being used in your organisation. you can access the interface connected to the Internet and configure following command
ip nbar protocol-discovery.
This will enable nbar discovery on your router.
Use following command:-
show ip nbar protocol-discovery stats bit-rate top-n 10
it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.
we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.
Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number
Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535
Filed under: Access-lists, QOS, Router, security
Tried to block the skype with reference to this article. But not able to block. Has this been tested by anyone…
Sagar,
Yes, this is tested!
Which version of IOS were you using? I am not sure how you implemented? send me your topology and configuration.
PS:- mail id you mentioned during submitting your comment is invalid. I tried to send you a mail but it was bounced back.
-Sikandar
Hi Sikandar,
IOS version I am using is 12.4.6(T3).
Hv implemented the same way what mentioned in this reference document on my Internet router.
I have corrected my mail ID(isc_sagar@yahoo.co.in). sorry for typo error.
Thanks,
Sagar
Skype is tough to block, I would say one of the hardest to block. I would like to hear if you have had any success with it.
Tested! and its working perfectly fine!
Sagar,
I tried to block with the reference above and it didnt work too, i’m using 12.4(4)T2. Can anyone help?
can you send me your topology and configuration of both pix and the router?
router: cisco 877, with DMVPN, using ios firewall
outbound interface: Tunnel 2
inbound interface: VLAN 1 (f0)
A portion of the config for your review…
————————————-
ip inspect name IOS_FW appfw IOS_FW
ip inspect name IOS_FW cuseeme
ip inspect name IOS_FW dns
ip inspect name IOS_FW ftp
ip inspect name IOS_FW h323
ip inspect name IOS_FW http urlfilter
ip inspect name IOS_FW https
ip inspect name IOS_FW icmp
ip inspect name IOS_FW imap
ip inspect name IOS_FW pop3
ip inspect name IOS_FW netshow
ip inspect name IOS_FW rcmd
ip inspect name IOS_FW realaudio
ip inspect name IOS_FW rtsp
ip inspect name IOS_FW esmtp
ip inspect name IOS_FW sqlnet
ip inspect name IOS_FW streamworks
ip inspect name IOS_FW tftp
ip inspect name IOS_FW udp
ip inspect name IOS_FW vdolive
ip nbar port-map custom-01 udp 1 65535
ip nbar port-map custom-01 tcp 1 65535
class-map match-any p2p_skype
match protocol skype
match protocol custom-01
appfw policy-name IOS_FW
application im msn
service default action reset
service text-chat action reset
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
alert on
Interface Tunnel 2
….
ip inspect IOS_FW out
ip access-group 101 in
service-policy input appfwp2p_IOS_FW
service-policy output appfwp2p_IOS_FW
interface Vlan1
description Connection to LAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 32 in
hold-queue 100 out
end
ip nat inside source list 10 pool NAT_POOL overload
ip route 0.0.0.0 0.0.0.0 Tunnel2
Extended IP access list 101
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip host 255.255.255.255 any
130 permit icmp any any echo-reply
140 permit icmp any any time-exceeded
150 permit icmp any any unreachable (21 matches)
160 deny ip any any (11176 matches)
Standard IP access list 10
10 permit 192.168.1.0, wildcard bits 0.0.0.255
from the configuration given above, i can’t see where you created a policy for blocking skype. i can only see a class map for sype but i can’t see in which policy yoy are applying that class map.
you need to create a policy and apply it to pix-facing interface.
policy−map block−p2p
class p2p
drop
int FastEthernet0
description PIX−facing interface
service−policy input block−p2p
sorry, i left it out in my previous posting… but it was in my router config.
policy-map appfwp2p_IOS_FW
class p2p_skype
drop
tried to apply the policy on either the tunnel interface and FastE but skype is still able to logon after i restart it.
interface FastEthernet0
description Connection to LAN
service-policy input appfwp2p_IOS_FW
service-policy output appfwp2p_IOS_FW
end
Hi Kim
\
It will not work on tunnel interface as it is interface for creating tunnel betweern two end points. you need to think this way that on which direction you need to block your traffic.
I am not sure what your full config is but it seems that you have a split tunneling enable so even if you block skype at your end, because of your VPN tunnel it will be able to access from the other side.
As i told you earlier it would be great if you can send me full configuration of the both ends. I want to understand how exactly you are accessing your internet.
now skype is blocked in dubai internet city as well, whether you use a vpn or not…
they use the software of this evil company lynanda.com , statisticians turned into censors…
do you have an idea how it works and how it could bypassed?
this is really anoying everyone in there…
any help appreciated…
Hi,
We are using NetScreen 50 Firewall in our network and need to block Skype. Our office is based in London.
Can anyone help me regarding this?
Regards
Sidd
there is a widely used skype and P2P blocking solution in opensource.
check this link http://www.lynanda.com/products/software-for-corporations/traffic-filtering
I’ve heard that this solution is what companies use to forbid skype within their network. China is suspected to use this or a derivative
I think that providing that kind of censorship technology is in total contradiction with the opensource philosophy. Some people suspect Skype to be at the origin of this blocking initiative, for political reasons.
lynanda, cisco/nbar
we have test both, both are not reliable. after some minutes the skype client can establish a connection to the skype network.
skype seems to be unblockable
I’m having the same kind of issues restricting most traffic. I am using NAT and NBAR, and I believe that NBAR is not recognising the correct ports after they have been changed for NAT. Perhaps this is the case for most people?
I’m pretty sure I read somewhere that Cisco routers look at the routing table, access-lists and class-maps/NBAR before doing any port translations, but this doesn’t seem to be the case for me.
If I allow ftp full outbound bandwidth, matched by NBAR on my WAN interface, (hoping this was BEFORE the translation to LAN) and then show “ip nbar proto ftp”, NBAR does not recognise any ftp traffic leaving or entering the WAN interface.
It seems most people here are doing this on some kind of internet router with NAT running. The only way I can get NBAR to recognise any specific traffic is to use port-forwarding. Bittorrent on port 6881 forwarded to a workstation DOES get seen by NBAR, same with web without port-forwarding, but everything else is showing up in the “unknown” category.
So long story short, if your workstation has the same inside port as the source outside port, NBAR seems to recognise it. If not, it’s “unknown” traffic on ports anywhere between 1 and 65000-odd.
Check your Skype/whatever local inside port on a Windows box from a DOS prompt with:
“netstat” (enter)
bbw dating
This page contains some info about bbw dating
I there,
I would like to block bittorrent p2p on my boader cisco router. My IOS version is:
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3e), RELEASE SOFTWARE (fc2)
It does does not comes with bittorrent protocol, is there any way I can upgrade my IOS so I can have a bittorrent protocol blocking capability on my router?
Hi, I have a Linksys WRT300N roter and I want to know how I can set it up to block Skype and other websites I do not want users to visit?
Dear Sir
we are not able to block skypee in our router 2801
please
Hi, I have a Cisco 2801 router and I want to know how I can set it up to block Skype and Google talk
[...] habe mal etwas recherchiert – hier ein paar interessante Links, die Dir vielleicht weiterhelfen: How to block skype « Cisco Tips & Tricks Spam Filter / Spam Firewall / Web Filter / Spam Appliance / Load Balancer / Content Filter / Email [...]
can some 1 tell me how to block metacafe or p to p software on cisco 877 modem.
please send me the config of cisco 877 modem which block sites etc.
[...] skype for your business be sure to read this . Other informative articles on Skype are avilable here, here, here & [...]
I am using CISCO876. I’ve tried to block skype on all station in subnet class 100.100.100.0/24 except on ip address 100.100.100.100!
Can someone tell where is my mistake?
here is the conf:
!
!
class-map match-any MESS-TRAFFIC
match protocol skype
match protocol irc
class-map match-all MESS-ALOW
match class-map MESS-TRAFFIC
match access-group 120
!
!
policy-map DENY-MESSINGER
class MESS-ALOW
drop
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 100.100.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
no ip virtual-reassembly
ip tcp adjust-mss 1452
service-policy input DENY-MESSINGER
!
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group ANTISPOOFING in
ip verify unicast source reachable-via rx allow-default 101
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect autosec_inspect out
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname XXXX
ppp chap password XXXXX
ppp pap sent-username XXXXX password XXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 100.100.100.100 29695 interface Dialer1 29695
ip nat inside source static tcp 100.100.100.100 29695 interface Dialer1 29695
ip nat inside source static udp 100.100.100.100 69 interface Dialer1 69
!
ip access-list extended ANTISPOOFING
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any any
!
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 101 permit udp any any eq bootpc
access-list 120 permit ip any any
access-list 120 deny ip host 100.100.100.100 any
!
when:
sh ip nbar port-map skype
There is no output?
when:
sh ip nbar protocol-discovery interface vlan 1 stats bit-rate
Protocol 5min Bit Rate (bps) 5min Bit Rate (bps)
———————— ———————— ————————
telnet 3000 5000
http 4000 0
bittorrent 0 0
h323 0 0
secure-http 0 0
skype 0 0
dns 0 0
netbios 0 0
novadigm 0 0
socks 0 0
rtp 0 0
mgcp 0 0
xwindows 0 0
unknown 0 146000
Total 7000 151000
Skype is working on every PC station,not only on mine 100.100.100.100.
Help pls!
Thanx in advance!
email:
velevskib@hotmail.com
Peace
Bojan
you have to change your SDM setting before applying policy routing in your layer 3 switch. Please refer to the following commands:
1) show sdm prefer
2) sdm prefer routing
Actually I can identify Skype packets of all types, both TCP and UDP, with minimal processing overhead, guaranteed identification and blocking – good enough even for the largest ISPs. Per packet overhead is negligible. I wonder if my C source could be integrated into the IOS and how?
How can I block Skype using Cisco PIX 525?
I want to add this protocol on my nbar. which ports useing skype or p2p. how can i add?
Hi,
There is this company called Nevis Networks. They have had a pretty good success rate in blocking many kinds of P2P and IM applications.
Give them a dekko.
Regards
Amit
hi! how can block p2p (like utorrent and limewire) in my cisco 1841
router. pls. send me the config…. thanks…
YOu shold get differen approach to achieve success with Skype
)
permit only protocols that you need and company needs from and deny everything else using nbar if you like you can police skype traffik to something very low or put this traffic on scavenger class but you should have idea what cisco matches with nbar its only Skype 1 versions
that can be fingerprinted the newwest versions of Skypes are different and not getting matchet by nbar
hi.. im using cisco firewall PIX 525 can u send me pls. how to block my P2P limewire …
Thanks.
hi.. im using cisco firewall PIX 525 can u send me pls. how to block my P2P limewire …
email:jul31_icc@yahoo.com
Thanks.
Blocking skype isn’t working for me.
I get “Message not delivered” in skype, then 3sec later the box will go away and say delivered.
My Config:
c3845-adventerprisek9-mz.124-9.T2.bin
class-map match-any p2p
match protocol skype
match protocol gnutella
match protocol irc
match protocol kazaa2
match protocol edonkey
!
policy−map block−p2p
class p2p
drop
!
interface FastEthernet2/0
description TO PIX
service-policy input block-p2p
It didn’t work, so I added this command and still didn’t block skpe.
interface FastEthernet2/0
service-policy output block-p2p
“show ip nbar port” does not have skpe mapped to a port? What are the ports for skpe so I can map it myself?
3845#sh ip nbar port
port-map bgp udp 179
port-map bgp tcp 179
port-map bittorrent tcp 6881 6882 6883 6884 6885 6886 6887 6888 6889
port-map citrix udp 1604
port-map citrix tcp 1494
port-map cuseeme udp 7648 7649 24032
port-map cuseeme tcp 7648 7649
port-map dhcp udp 67 68
port-map directconnect tcp 411 412 413
port-map dns udp 53
port-map dns tcp 53
port-map edonkey tcp 4662
port-map exchange tcp 135
port-map fasttrack tcp 1214
port-map finger tcp 79
port-map ftp tcp 21
port-map gnutella udp 6346 6347 6348
port-map gnutella tcp 6346 6347 6348 6349 6355 5634
port-map gopher udp 70
port-map gopher tcp 70
port-map h323 udp 1300 1718 1719 1720 11720
port-map h323 tcp 1300 1718 1719 1720 11000 – 11999
port-map http tcp 80
port-map imap udp 143 220
port-map imap tcp 143 220
port-map irc udp 194
port-map irc tcp 194
port-map kerberos udp 88 749
port-map kerberos tcp 88 749
port-map l2tp udp 1701
port-map ldap udp 389
port-map ldap tcp 389
port-map mgcp udp 2427 2727
port-map mgcp tcp 2427 2428 2727
port-map netbios udp 137 138
port-map netbios tcp 137 139
port-map netshow tcp 1755
port-map nfs udp 2049
port-map nfs tcp 2049
port-map nntp udp 119
port-map nntp tcp 119
port-map notes udp 1352
port-map notes tcp 1352
port-map novadigm udp 3460 3461 3462 3463 3464 3465
port-map novadigm tcp 3460 3461 3462 3463 3464 3465
port-map ntp udp 123
port-map ntp tcp 123
port-map pcanywhere udp 22 5632
port-map pcanywhere tcp 65301 5631
port-map pop3 udp 110
port-map pop3 tcp 110
port-map pptp tcp 1723
port-map printer udp 515
port-map printer tcp 515
port-map rcmd tcp 512 513 514
port-map rip udp 520
port-map rsvp udp 1698 1699
port-map rtsp tcp 554
port-map secure-ftp tcp 990
port-map secure-http tcp 443
port-map secure-imap udp 585 993
port-map secure-imap tcp 585 993
port-map secure-irc udp 994
port-map secure-irc tcp 994
port-map secure-ldap udp 636
port-map secure-ldap tcp 636
port-map secure-nntp udp 563
port-map secure-nntp tcp 563
port-map secure-pop3 udp 995
port-map secure-pop3 tcp 995
port-map secure-telnet tcp 992
port-map sip udp 5060
port-map sip tcp 5060
port-map skinny tcp 2000 2001 2002
port-map smtp tcp 25
port-map snmp udp 161 162
port-map snmp tcp 161 162
port-map socks tcp 1080
port-map sqlnet tcp 1521
port-map sqlserver tcp 1433
port-map ssh tcp 22
port-map streamwork udp 1558
port-map sunrpc udp 111
port-map sunrpc tcp 111
port-map syslog udp 514
port-map telnet tcp 23
port-map tftp udp 69
port-map vdolive tcp 7000
port-map winmx tcp 6699
port-map xwindows tcp 6000 6001 6002 6003
Any suggestions or does nbar not work for skype?
thanks guys, did help on a setup
Hi guys, just wanted to drop a line and say that newer versions of Skype will be tracked by nbar under enhancement request CSCsg19895, which you can periodically check on the Bug Toolkit @ cisco.com (this is noted as an enhancement bug since the protocol changed).
rtfmdude, the answer because Skype works with cisco IOS running NBAR is that Skype try to connect in the standards ports, and if it can´t connect encapsulates the traffic in http. Obviusly all the organization has the http port enabled and they can´t filter it, it´s the same that happen with p2p applications.
Regards