ASA5500 time-range vpn-access-hours

Unanswered Question
Jun 2nd, 2009

Client is requesting to allow VPN from 05:00am to 23:59pm. How can we ensure all VPN connections will be dropped at midnight?

Using the two in the title, it appears connections will be blocked outside of the time range, but old connections are not terminated. If i were to connect at 11:30, I could remain connected all night which is a problem. Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
allenelson Thu, 06/04/2009 - 10:39

So, the ACL should be applied to the inside interface, not the actual ACL that defines the interesting traffic.. ?

The ACL on the inside is a permit any any. The local subnet is 10.X.X.X and the VPN remote subnet is 172.16.X.X. So i would need something like..

acl inside permit ip 172.16.X.X mask 10.X.X.X mask time-range VPNHOURS

acl inside deny ip 172.16.X.X mask 10.X.X.X mask

acl inside permit ip any any

allenelson Thu, 06/04/2009 - 10:59

Im testing with it right now.. it does not seem to be working. Neither a permit statement w/ time-range, followed by a deny and then the permit ip any any


a deny statement with the time-range, followed by a permit ip any any. this is also being used for remote access vpn. so even though the traffic is on the inside interface, the ASA has a route pointing to the outside interface.

i tried applying the ACL on the outside as well with no luck.


this should help.. the ACL is active, but traffic is not being denied on the inside.

access-list inside1 line 1 extended deny ip any time-range VPNHOURS (hitcnt=0) 0x5f2add1d

access-list inside1 line 2 extended deny ip any time-range VPNHOURS (hitcnt=0) 0x2c5dec03

access-list inside1 line 3 extended permit ip any any (hitcnt=388) 0xb93b6806

edit again.. just in case.. i also have the following configured.

no sysopt connection permit-vpn

access-group inside1 in interface inside

allenelson Thu, 06/04/2009 - 11:20

the subnet is correct, not sure why that isnt working out. currently experimenting with the vpn-filter command in the group-policy, which also isn't working out the greatest..

took out the time-range stuff for now, now that i'm on this filter command.


This Discussion