cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
548
Views
5
Helpful
3
Replies

Timed Access list on PIX 505E

richard.jackson
Level 1
Level 1

Hi,

I have been asked to setup Timed ACLs to block internet traffic after 22:00. I have set this up and all work fine apart from one issue.

If the is a constant IP flow through  the firewall (eg msn), this session remains active and as such traffic is allowed until a clear xlate is issued.

Is there a way to either automatically issue the clear xlate at 22:01 like (event manager on the PIX) or configuration to ensure the ACL will block established traffic at that time (note the DMZ will still need 24/7 access).

Many thanks

Richard

Sh ver

Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)

Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"

FW1 up 183 days 7 hours

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0           : address is 0016.47cb.f654, irq 10
1: Ext: Ethernet1           : address is 0016.47cb.f655, irq 11
2: Ext: Ethernet2           : address is 000e.0ca1.5ab2, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 6        
Maximum VLANs                : 25       
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Cut-through Proxy            : Enabled  
Guards                       : Enabled  
URL Filtering                : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : Unlimited

This platform has an Unrestricted (UR) license.

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

No, unfortunately there is no way to automatically do clear xlate at 22:01 on the PIX itself.

What can be done is probably writing a script to log into the PIX at 22:01 and issue the clear xlate, however, that would clear xlate for all traffic (not interface specific traffic).

Another possibility is lowering the idle timeout for TCP connection (by default it's an hour) between internal subnet towards outside, so when it's been idle for a shorter period of time, it will clear the connection.

Hope that helps.

Hi halijenn

       

  Many thanks for the quick response, this is exactly the correct answer and is now obvious to me.

     Cheers

     Richard


Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

What kind of devices you have behind the PIX? Do you have any Cisco Switch?

If it is a L3 capable switch, then we could probably use that to implement

the policy.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: