KB ID 0000323
Problem
You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.
Solution
Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.
1. Connect to the Cisco ASA, and go to configure terminal mode.
2. Lets keep things neat and name our four Goolge Talkservers.
3. Then lets create a group for those servers.
PetesASA(config)# object-group network Google-Talk-Servers
PetesASA(config-network-object-group)# network-object host 216.239.37.125
PetesASA(config-network-object-group)# network-object host 72.14.253.125
PetesASA(config-network-object-group)# network-object host 72.14.217.189
PetesASA(config-network-object-group)# network-object host 209.85.137.125
4. And then a group for the ports we want to block.
PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp
PetesASA(config-service-object-group)# port-object eq 5222
PetesASA(config-service-object-group)# port-object eq 5223
PetesASA(config-service-object-group)# port-object eq https
PetesASA(config-service-object-group)# port-object eq www
5. To tie it all together we can simply add one ACL.
PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports
Note: This assumes you have an ACL called “outbound” thats applied to your outbound traffic, yours may have a different name, to find out issue a “show run access-group” command like so, your outbound ACL will be allied “in interface inside”. If yours is called something different then change the command above accordingly. If you don’t have one at all skip to step 6.
PetesASA(config)# show run access-group access-group outbound in interface inside access-group inbound in interface outside PetesASA(config)#
6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. and AFTER you have carried out step 5.
PetesASA(config)# access-group outbound in interface inside
PetesASA(config)# access-list outbound permit ip any any
Related Articles, References, Credits, or External Links
NA