Remote Access VPN Access Hours

Unanswered Question
Dec 3rd, 2009

Hi all,

I have an ASA v8 working as Remote Access VPN concentrator , the users connect just fine, but I want limit their access to the VPN , by time .

From 08:00 to 17:00 the user can connect to the corporate network , before and after that period of time , the VPN must fail to connect.

Right now ,  if I try to connect  outside of the time configured the VPN doesnt established, thats ok  , but if the user does not tear down the VPN , he would be connected even  the period of time ends.

I need the ASA tear down automatically the connection after the hours configured.

I already thought about the vpn-session-timeout, but what happen if the user connect at 10:00 , he would be connected until 18:00 , if I configured 8 hours.

Thanks for any help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
busterswt Thu, 12/03/2009 - 21:04

Hello,

After thinking this over, I think you can implement both vpn-session-timeout and vpn-access-hours within your group policy to mostly do what you want. For example:

Find out what timezone your ASA is using, and compare it to your own:

ciscoasa# sh clock

04:51:35.439 UTC Fri Dec 4 2009 (aka. 10:51 PM CST)

Implement the time-range in global config mode using 'time-range rangename'

ciscoasa(config)# time-range my-vpn-restriction

ciscoasa(config-time-range)# periodic daily 04:00 to 05:00

ciscoasa(config)# group-policy rack-test attributes

ciscoasa(config-group-policy)# vpn-access-hours value my-vpn-restriction

The time range of 04:00 to 05:00 permits VPN access between the hours of 10:00 PM to 11:00 PM CST. You apply this time-range within the group policy you want to affect. Any client VPN connection made during this time will live past the end time so long as the idle timeout is not exceeded. So, if a client connects at 10:59 PM they will be permitted to use the VPN for as long as they need to despite exceeding the VPN access time.

The way to work around this is to implement a VPN session timeout value within the group policy as well.

ciscoasa(config)# group-policy rack-test attributes

ciscoasa(config-group-policy)# vpn-access-hours value vpn-restriction

ciscoasa(config-group-policy)# vpn-session-timeout 30

The 30 signifies the number of minutes the VPN connection will stay alive before the ASA resets the connection. <1-35791394> is the number of minutes that can be set. After the session timeout period has been exceeded, the client VPN software will alert the user that the VPN connection has been terminated, at which point they can reconnect. If it falls within access hours, great. Otherwise, the client must wait until the appropriate time to reconnect.

So in the above example, if the user connects to the VPN at 10:59 PM their session will last 30 minutes and end at 11:29 PM. Any reconnection attempt will result in the password box continuously being presented as if they had invalid credentials. The caveat with this method is that normal VPN connections during business hours will also be disconnected every 30 minutes, creating a possible inconvenience for your users.

Hope that helps!

James

WEERAKOO69BA Sun, 05/20/2012 - 05:09

Hi James,

Do we have to mention

**ciscoasa(config)# group-policy rack-test internal(or external) befre "group-policy rack-test attributes" ??

** can't we fulfil the above senario using acess lists??

***How do you think if we need to allow this vpn  to access, only for a perticular  single ip??

Thanks

Wai Lit Loi Fri, 11/21/2014 - 12:52

Hi there,

Can this time-range technique be applied to Thin-Client SSL VPN on a Cisco Router acting as a WebVPN gateway?

 

Thanks!

TFLASCHENTR_2 Thu, 06/17/2010 - 06:45

I suggest combining it with time-based firewall access-rules.

make some firewall rules with satisfy your needs and activate the time range on those rules also.

So the user can connect in required access-hoursby vpn, but if somebody stays connected over time,

then the firewall rull will kill his traffic on absoulte time-range.

Regards

Tom

Actions

This Discussion