Blocking Google Talk (Cisco ASA)

KB ID 0000323 

Problem

You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.

Solution

Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.

1. Connect to the Cisco ASA, and go to configure terminal mode.

PetesASA> PetesASA> en Password: ******** PetesASA# configure terminal PetesASA(config)#

2. Lets keep things neat and name our four Goolge Talkservers.

PetesASA(config)# name 216.239.37.125 Google-Talk-Server-1 PetesASA(config)# name 72.14.253.125 Google-Talk-Server-2 PetesASA(config)# name 72.14.217.189 Google-Talk-Server-3 PetesASA(config)# name 209.85.137.125 Google-Talk-Server-4

3. Then lets create a group for those servers.

PetesASA(config)# object-group network Google-Talk-Servers
PetesASA(config-network-object-group)# network-object host 216.239.37.125
PetesASA(config-network-object-group)# network-object host 72.14.253.125
PetesASA(config-network-object-group)# network-object host 72.14.217.189
PetesASA(config-network-object-group)# network-object host 209.85.137.125

4. And then a group for the ports we want to block.

PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp
PetesASA(config-service-object-group)# port-object eq 5222
PetesASA(config-service-object-group)# port-object eq 5223
PetesASA(config-service-object-group)# port-object eq https
PetesASA(config-service-object-group)# port-object eq www

5. To tie it all together we can simply add one ACL.

PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports 

Note: This assumes you have an ACL called “outbound” thats applied to your outbound traffic, yours may have a different name, to find out issue a “show run access-group” command like so, your outbound ACL will be allied “in interface inside”. If yours is called something different then change the command above accordingly. If you don’t have one at all skip to step 6.

PetesASA(config)# show run access-group
access-group outbound in interface inside
access-group inbound in interface outside
PetesASA(config)#

6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. and AFTER you have carried out step 5.

PetesASA(config)# access-group outbound in interface inside
PetesASA(config)# access-list outbound permit ip any any

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On