Purpose of time range if you can't control it :)

Answered Question
May 8th, 2009
User Badges:
  • Purple, 4500 points or more

All,


I have an ASA and I've asked about this before. I have time ranges to keep people from being able to get anywhere after a certain time. Apparently, the time-range will go into effect correctly, but even if the traffic is denied in the acl after the time-range goes inactive, it will still keep the sessions up.


Is there a way that I can force all connections to be dropped (other than scheduling reloads) in the ASA, and make SURE that the time-ranges are taking effect when they should?


Thanks,

John

Correct Answer by Jon Marshall about 8 years 1 month ago

John


Expect uses the TCL language with additional commands. If you are more familiar with PERL then it too has an expect module or a Telnet::Cisco module although they can both be a bit more bother to get up and running.


Basically with Expect you can tell your script what prompt or feedback you are "expecting" from the device and then based on the response you get back you can tell your script what to send to the device. Attached is a link to a very basic expect script for logging into a router -


http://www.corecoding.com/cisco-expect-script_c32.html


should give you an idea of how it works. The interact part at the end allows you to then enter commands etc. on the cli but there is nothing stopping you from changing that to log in and then automatically issue commands.


Net::Telnet::Cisco is a module written in PERL specifically for logging into Cisco devices so certain parts of what you would have to code yourself have been included.


If you are familiar with TCL use Expect, if PERL you may want look at the module i mentioned.


A search on the Internet usually turns up some scripts for automating simple tasks on Cisco router/switches and they could easily be modified for the ASA device.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (4 ratings)
Loading.
handsy Fri, 05/08/2009 - 05:45
User Badges:

It's not ideal, but you could reduce the 'timeout conn' to the minimum 0:05:0 (5 minutes) rather than an hour which is default.

That way any user idling for >5mins will lose their connection and then be refused by the time-range ACL when retrying.


I think the 'service resetinbound' command may help too.


Hope that helps a bit :)


Jon Marshall Fri, 05/08/2009 - 05:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


One option is to write an Expect type script that you can then schedule to run on a linux/windows box. This script could then log into the ASA and issue a "clear conn all" command which would remove all connections going through the firewall.


Jon

John Blakley Fri, 05/08/2009 - 05:55
User Badges:
  • Purple, 4500 points or more

Jon,


That's a good idea. I've never written an Expect script. Is this like TCL? I'm going to have to research that one :)


Thanks!

John

Correct Answer
Jon Marshall Fri, 05/08/2009 - 06:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Expect uses the TCL language with additional commands. If you are more familiar with PERL then it too has an expect module or a Telnet::Cisco module although they can both be a bit more bother to get up and running.


Basically with Expect you can tell your script what prompt or feedback you are "expecting" from the device and then based on the response you get back you can tell your script what to send to the device. Attached is a link to a very basic expect script for logging into a router -


http://www.corecoding.com/cisco-expect-script_c32.html


should give you an idea of how it works. The interact part at the end allows you to then enter commands etc. on the cli but there is nothing stopping you from changing that to log in and then automatically issue commands.


Net::Telnet::Cisco is a module written in PERL specifically for logging into Cisco devices so certain parts of what you would have to code yourself have been included.


If you are familiar with TCL use Expect, if PERL you may want look at the module i mentioned.


A search on the Internet usually turns up some scripts for automating simple tasks on Cisco router/switches and they could easily be modified for the ASA device.


Jon

Actions

This Discussion