ASA Firewall Rule Time Based

Unanswered Question
Jul 17th, 2008

I am looking to block internet access for some of our hosts during specific time periods. I would like to block it by IP since I can make sure they always get the same IP with DHCP reservations.

I tried to put the rule in but it wiped out the default rules so I reverted it real fast.

Thanks for any help or guidance on this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
dhananjoy chowdhury Thu, 07/17/2008 - 21:07

Suppose youwant to block WEB access for IP x.x.x.x from 9am to 6pm on weekdays.

- first create a time-range

myPix(config)#time-range biz_time

myPIX(config-time-range)#periodic weekdays 09:00 to 18:00

- then use the time-range in the access-list

- Suppose your existing access-list on the inside interface is 101, then

access-list 101 line 1 deny tcp host x.x.x.x any eq 80 time-range biz_time

access-list 101 line 2 deny tcp host x.x.x.x any eq 443 time-range biz_time

Hope this helps.

robertgile1 Fri, 07/18/2008 - 05:16

I'll give this a try this weekend. Now I would apply this on my inside interface, right?

Farrukh Haroon Fri, 07/18/2008 - 05:07

What do you mean by this?

"I tried to put the rule in but it wiped out the default rules so I reverted it real fast."

Regards

Farrukh

robertgile1 Fri, 07/18/2008 - 05:15

I was using the ASDM and as soon as I put a rule on the inside interface, it wiped out the default rules to allow outbound traffic.

Farrukh Haroon Fri, 07/18/2008 - 06:09

That is OK, by default all 'higher' to 'lower' security communication is enabled. But once you apply your own ACL that rule goes away (as now your applied ACL has implicit deny ip any any at the end).

Regards

Farrukh

robertgile1 Fri, 07/18/2008 - 06:36

So I will have to explicitly permit other traffic out right?

something like this: [just free hand and in no way meant to be actual commands]

access-list 100

deny 192.168.0.10 based on this_time_rule

permit any to any less secure network

Farrukh Haroon Fri, 07/18/2008 - 07:15

Yes robert, once you 'Deny' the undesired flows, you have to permit the rest.

Perhaps a better approach would be:

deny 192.168.0.10 based on this_time_rule

permit ip any

Regards

Farrukh

Actions

This Discussion