08-22-2010 01:45 PM - edited 03-11-2019 11:29 AM
Hi,
I have been asked to setup Timed ACLs to block internet traffic after 22:00. I have set this up and all work fine apart from one issue.
If the is a constant IP flow through the firewall (eg msn), this session remains active and as such traffic is allowed until a clear xlate is issued.
Is there a way to either automatically issue the clear xlate at 22:01 like (event manager on the PIX) or configuration to ensure the ACL will block established traffic at that time (note the DMZ will still need 24/7 access).
Many thanks
Richard
Sh ver
Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)
Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"
FW1 up 183 days 7 hours
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0 : address is 0016.47cb.f654, irq 10
1: Ext: Ethernet1 : address is 0016.47cb.f655, irq 11
2: Ext: Ethernet2 : address is 000e.0ca1.5ab2, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
This platform has an Unrestricted (UR) license.
08-22-2010 07:41 PM
No, unfortunately there is no way to automatically do clear xlate at 22:01 on the PIX itself.
What can be done is probably writing a script to log into the PIX at 22:01 and issue the clear xlate, however, that would clear xlate for all traffic (not interface specific traffic).
Another possibility is lowering the idle timeout for TCP connection (by default it's an hour) between internal subnet towards outside, so when it's been idle for a shorter period of time, it will clear the connection.
Hope that helps.
08-23-2010 12:41 AM
08-22-2010 07:47 PM
Hello,
What kind of devices you have behind the PIX? Do you have any Cisco Switch?
If it is a L3 capable switch, then we could probably use that to implement
the policy.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: