Blocking Google Talk (Cisco ASA)


KB ID 0000323 Dtd 12/09/10


You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.


Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.

1. Connect to the Cisco ASA, and go to configure terminal mode.

PetesASA> PetesASA> en Password: ******** PetesASA# configure terminal PetesASA(config)#

2. Lets keep things neat and name our four Goolge Talkservers.

PetesASA(config)# name Google-Talk-Server-1 PetesASA(config)# name Google-Talk-Server-2 PetesASA(config)# name Google-Talk-Server-3 PetesASA(config)# name Google-Talk-Server-4

3. Then lets create a group for those servers.

PetesASA(config)# object-group network Google-Talk-Servers
PetesASA(config-network-object-group)# network-object host
PetesASA(config-network-object-group)# network-object host
PetesASA(config-network-object-group)# network-object host
PetesASA(config-network-object-group)# network-object host

4. And then a group for the ports we want to block.

PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp
PetesASA(config-service-object-group)# port-object eq 5222
PetesASA(config-service-object-group)# port-object eq 5223
PetesASA(config-service-object-group)# port-object eq https
PetesASA(config-service-object-group)# port-object eq www

5. To tie it all together we can simply add one ACL.

PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports 

Note: This assumes you have an ACL called "outbound" thats applied to your outbound traffic, yours may have a different name, to find out issue a "show run access-group" command like so, your outbound ACL will be allied "in interface inside". If yours is called something different then change the command above accordingly. If you don't have one at all skip to step 6.

PetesASA(config)# show run access-group
access-group outbound in interface inside
access-group inbound in interface outside

6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. and AFTER you have carried out step 5.

PetesASA(config)# access-group outbound in interface inside
PetesASA(config)# access-list outbound permit ip any any

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On