Solved: Purpose of time range if you can't control it :)

John Blakley · ‎05-08-2009

All,

I have an ASA and I've asked about this before. I have time ranges to keep people from being able to get anywhere after a certain time. Apparently, the time-range will go into effect correctly, but even if the traffic is denied in the acl after the time-range goes inactive, it will still keep the sessions up.

Is there a way that I can force all connections to be dropped (other than scheduling reloads) in the ASA, and make SURE that the time-ranges are taking effect when they should?

Thanks,

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎05-08-2009

John

Expect uses the TCL language with additional commands. If you are more familiar with PERL then it too has an expect module or a Telnet::Cisco module although they can both be a bit more bother to get up and running.

Basically with Expect you can tell your script what prompt or feedback you are "expecting" from the device and then based on the response you get back you can tell your script what to send to the device. Attached is a link to a very basic expect script for logging into a router -

http://www.corecoding.com/cisco-expect-script_c32.html

should give you an idea of how it works. The interact part at the end allows you to then enter commands etc. on the cli but there is nothing stopping you from changing that to log in and then automatically issue commands.

Net::Telnet::Cisco is a module written in PERL specifically for logging into Cisco devices so certain parts of what you would have to code yourself have been included.

If you are familiar with TCL use Expect, if PERL you may want look at the module i mentioned.

A search on the Internet usually turns up some scripts for automating simple tasks on Cisco router/switches and they could easily be modified for the ASA device.

Jon

View solution in original post

handsy · ‎05-08-2009

It's not ideal, but you could reduce the 'timeout conn' to the minimum 0:05:0 (5 minutes) rather than an hour which is default.

That way any user idling for >5mins will lose their connection and then be refused by the time-range ACL when retrying.

I think the 'service resetinbound' command may help too.

Hope that helps a bit :)

Jon Marshall · ‎05-08-2009

John

One option is to write an Expect type script that you can then schedule to run on a linux/windows box. This script could then log into the ASA and issue a "clear conn all" command which would remove all connections going through the firewall.

Jon

John Blakley · ‎05-08-2009

Jon,

That's a good idea. I've never written an Expect script. Is this like TCL? I'm going to have to research that one :)

Thanks!

John

HTH, John *** Please rate all useful posts ***

Jon Marshall · ‎05-08-2009

John

Expect uses the TCL language with additional commands. If you are more familiar with PERL then it too has an expect module or a Telnet::Cisco module although they can both be a bit more bother to get up and running.

Basically with Expect you can tell your script what prompt or feedback you are "expecting" from the device and then based on the response you get back you can tell your script what to send to the device. Attached is a link to a very basic expect script for logging into a router -

http://www.corecoding.com/cisco-expect-script_c32.html

should give you an idea of how it works. The interact part at the end allows you to then enter commands etc. on the cli but there is nothing stopping you from changing that to log in and then automatically issue commands.

Net::Telnet::Cisco is a module written in PERL specifically for logging into Cisco devices so certain parts of what you would have to code yourself have been included.

If you are familiar with TCL use Expect, if PERL you may want look at the module i mentioned.

A search on the Internet usually turns up some scripts for automating simple tasks on Cisco router/switches and they could easily be modified for the ASA device.

Jon