A Quick Question.

I have the following situation where I have to block yahoo and msn
messengers:

Task 1:

You don't want any users from the inside of ASA except for 10.22.22.97 and
10.22.22.98 to be able to use either MSN IM or Yahoo IM.

OPTION-1:
OPTION-2:

access-list IM-ACL extended deny ip host 10.22.22.97 any

access-list IM-ACL extended deny ip host 10.22.22.98 any

access-list IM-ACL extended permit ip any any

!

class-map IM-BLOCK

match access-list IM-ACL

!

class-map type inspect im match-all IM-TRAFFIC

match protocol msn-im yahoo-im

!

policy-map type inspect im IM-PM

class IM-TRAFFIC

drop-connection

!

policy-map INSIDE-PM

class IM-BLOCK

inspect im IM-PM

!

service-policy INSIDE-PM interface inside

!

access-list IM-ACL extended deny tcp host 10.22.22.97 any

access-list IM-ACL extended deny tcp host 10.22.22.98 any

access-list IM-ACL extended permit tcp any any

!

class-map IM-BLOCK

match access-list IM-ACL

!

policy-map type inspect im IM-PM

match protocol msn-im yahoo-im

  reset

!

policy-map PM-BLOCKIM

class IM-BLOCK

  inspect im IM-PM

!

service-policy PM-BLOCKIM interface Inside

!

I just wanted to clarify that if "policy-map type inspect im IM-PM allows me
to "match protocol msn-im yahoo-im" then why should I use the "class-map
type inspect im match-all IM-TRAFFIC"?

Can I use Option-2 where I did not use "class-may type inspect im match-all
IM-TRAFFIC"?

I know that "class-may type" and "policy-map type" are used for deep
application packet inspection at layer-7. Class-map "type" classifies deep
application packets. And policy-map "type" applies the action on deep
application packets. But I am not clear when to use which option since both
"class-may type" and "policy-map type" allow inspections in certain cases as
in the case above.

Also what is the difference between "drop-connection" and "reset" and how do
I know which option to use?

Thanks for all the help.

Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 19 2010 - 12:03:51 ART