Cisco ASA – Blocking BitTorrent Traffic

bittorrentblockciscocisco-asadmca

Due to DMCA takedown notices, trying to block bitTorrent traffic for client on a Cisco ASA 5520.

ASA Software : 7.2
ASDM: 5.2

The device is really just used for for NAT and VPN's currently. Is there a simple way to block bitTorrent TCP ports 6881-6999 on this device?

Best Answer

I have attempted to do this and ran into a few issues. The biggest was that most bittorrent clients these days will choose a random port outside of that range. Blocking just 6881-6999 is a start, but will be easily defeated. Even if you block all UDP and high ports, clients will eventually switch to port 80 and 443 (HTTP and HTTPS), which presumably you don't want to block.

I have not found a good way to entirely block bittorrent. Bittorrent has evolved and adapted around all kinds of blocks, and will continue to evade attempts to block it. I'm sure there is a way to use Deep Packet Inspection to identify and shut it down, but I haven't had a chance to look at that. And I'm not sure how successful that would be due to bittorrent clients using encryption by default now.

I have been using this code on my ASA to at least marginally help the situation. I'm sure this blocks other useful things, but I haven't had any complaints from users.

object-group service Blocked-UDP-Ports udp
 description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
 port-object range 10001 65535
 port-object range 1024 1193
 port-object range 1195 9999
object-group service BitTorrent-Tracker tcp
 description TCP Ports used by Bit Torrent for tracker communication
 port-object eq 2710
 port-object range 6881 6999

access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inactive
access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactive

Related Solutions

Blocking Facebook and Myspace by IP Address

Who do you use as your DNS provider? If you can switch to someone like OpenDNS (it's free) they provide automatic (& very configurable) blocking of social networking sites, webmail, adult content etc.

EDIT: You don't have to change anything with your ISP either.

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

Best Answer

Related Solutions

Blocking Facebook and Myspace by IP Address

Cisco ASA 5505 – L2TP over IPsec

Related Topic