I have been asked to setup Timed ACLs to block internet traffic after 22:00. I have set this up and all work fine apart from one issue.
If the is a constant IP flow through the firewall (eg msn), this session remains active and as such traffic is allowed until a clear xlate is issued.
Is there a way to either automatically issue the clear xlate at 22:01 like (event manager on the PIX) or configuration to ensure the ACL will block established traffic at that time (note the DMZ will still need 24/7 access).
Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 6.1(5)
Compiled on Thu 07-Aug-08 19:42 by builders System image file is "flash:/pix804.bin" Config file at boot was "startup-config"
No, unfortunately there is no way to automatically do clear xlate at 22:01 on the PIX itself.
What can be done is probably writing a script to log into the PIX at 22:01 and issue the clear xlate, however, that would clear xlate for all traffic (not interface specific traffic).
Another possibility is lowering the idle timeout for TCP connection (by default it's an hour) between internal subnet towards outside, so when it's been idle for a shorter period of time, it will clear the connection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...