Is there a way to configure an ACL to automatically expire and delete itself after a set amount of time of not being hit. For example:
Say I configure a specific rule permiting a specific user using a static IP address to traverse Network A and hit an application on Server X located on Network B. Six months later I forget about said user and he or she moves to another department and no longer needs access with that IP address to that server. Is there a way to configure that rule to automatically drop off if the hit count remains at 0 for longer than X amount of days?
You can have time based access-list if you want to have the access-list or rule created for a certain period... But i am not sure if we have option to get automatic delete of the un-used ACL by its own.... and i do not think so we have that option.
There is no such dynamic option of deleting an ACL of not being hit by packets for a specific source/destination for a specified period of time.
The only option you got is to use time-based ACL and set the time that you want for that source/destination traffic. Time-based ACL is as flexible as water. You can set it to use recurring time or absolute time, which is your case.
Firewall(config)# time-range Temp_Worker
Firewall(config-time-range)# absolute [start hh:mm day month year] [end hh:mm day month year]
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...