Timed Access list on PIX 505E

Unanswered Question
Aug 22nd, 2010
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hi,

I have been asked to setup Timed ACLs to block internet traffic after 22:00. I have set this up and all work fine apart from one issue.

If the is a constant IP flow through  the firewall (eg msn), this session remains active and as such traffic is allowed until a clear xlate is issued.

Is there a way to either automatically issue the clear xlate at 22:01 like (event manager on the PIX) or configuration to ensure the ACL will block established traffic at that time (note the DMZ will still need 24/7 access).

Many thanks

Richard

Sh ver

Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)

Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"

FW1 up 183 days 7 hours

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0           : address is 0016.47cb.f654, irq 10
1: Ext: Ethernet1           : address is 0016.47cb.f655, irq 11
2: Ext: Ethernet2           : address is 000e.0ca1.5ab2, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 6        
Maximum VLANs                : 25       
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Cut-through Proxy            : Enabled  
Guards                       : Enabled  
URL Filtering                : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : Unlimited

This platform has an Unrestricted (UR) license.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Sun, 08/22/2010 - 19:41

No, unfortunately there is no way to automatically do clear xlate at 22:01 on the PIX itself.

What can be done is probably writing a script to log into the PIX at 22:01 and issue the clear xlate, however, that would clear xlate for all traffic (not interface specific traffic).

Another possibility is lowering the idle timeout for TCP connection (by default it's an hour) between internal subnet towards outside, so when it's been idle for a shorter period of time, it will clear the connection.

Hope that helps.

richard.jackson Mon, 08/23/2010 - 00:41

Hi halijenn

        /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

  Many thanks for the quick response, this is exactly the correct answer and is now obvious to me.

     Cheers

     Richard


Nagaraja Thanthry Sun, 08/22/2010 - 19:47

Hello,

What kind of devices you have behind the PIX? Do you have any Cisco Switch?

If it is a L3 capable switch, then we could probably use that to implement

the policy.

Regards,

NT

Actions

This Discussion