ASA Firewall Rule Time Based

Unanswered Question
Jul 17th, 2008
User Badges:

I am looking to block internet access for some of our hosts during specific time periods. I would like to block it by IP since I can make sure they always get the same IP with DHCP reservations.


I tried to put the rule in but it wiped out the default rules so I reverted it real fast.


Thanks for any help or guidance on this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
dhananjoy chowdhury Thu, 07/17/2008 - 21:07
User Badges:
  • Silver, 250 points or more

Suppose youwant to block WEB access for IP x.x.x.x from 9am to 6pm on weekdays.


- first create a time-range

myPix(config)#time-range biz_time

myPIX(config-time-range)#periodic weekdays 09:00 to 18:00


- then use the time-range in the access-list

- Suppose your existing access-list on the inside interface is 101, then


access-list 101 line 1 deny tcp host x.x.x.x any eq 80 time-range biz_time

access-list 101 line 2 deny tcp host x.x.x.x any eq 443 time-range biz_time



Hope this helps.

robertgile1 Fri, 07/18/2008 - 05:16
User Badges:

I'll give this a try this weekend. Now I would apply this on my inside interface, right?

Farrukh Haroon Fri, 07/18/2008 - 05:07
User Badges:
  • Red, 2250 points or more

What do you mean by this?


"I tried to put the rule in but it wiped out the default rules so I reverted it real fast."



Regards


Farrukh

robertgile1 Fri, 07/18/2008 - 05:15
User Badges:

I was using the ASDM and as soon as I put a rule on the inside interface, it wiped out the default rules to allow outbound traffic.

Farrukh Haroon Fri, 07/18/2008 - 06:09
User Badges:
  • Red, 2250 points or more

That is OK, by default all 'higher' to 'lower' security communication is enabled. But once you apply your own ACL that rule goes away (as now your applied ACL has implicit deny ip any any at the end).


Regards


Farrukh

robertgile1 Fri, 07/18/2008 - 06:36
User Badges:

So I will have to explicitly permit other traffic out right?


something like this: [just free hand and in no way meant to be actual commands]

access-list 100

deny 192.168.0.10 based on this_time_rule

permit any to any less secure network

Farrukh Haroon Fri, 07/18/2008 - 07:15
User Badges:
  • Red, 2250 points or more

Yes robert, once you 'Deny' the undesired flows, you have to permit the rest.


Perhaps a better approach would be:


deny 192.168.0.10 based on this_time_rule

permit ip any


Regards


Farrukh

Actions

This Discussion