Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Timed Access list on PIX 505E


I have been asked to setup Timed ACLs to block internet traffic after 22:00. I have set this up and all work fine apart from one issue.

If the is a constant IP flow through  the firewall (eg msn), this session remains active and as such traffic is allowed until a clear xlate is issued.

Is there a way to either automatically issue the clear xlate at 22:01 like (event manager on the PIX) or configuration to ensure the ACL will block established traffic at that time (note the DMZ will still need 24/7 access).

Many thanks


Sh ver

Cisco PIX Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(5)

Compiled on Thu 07-Aug-08 19:42 by builders
System image file is "flash:/pix804.bin"
Config file at boot was "startup-config"

FW1 up 183 days 7 hours

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: Ext: Ethernet0           : address is 0016.47cb.f654, irq 10
1: Ext: Ethernet1           : address is 0016.47cb.f655, irq 11
2: Ext: Ethernet2           : address is 000e.0ca1.5ab2, irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : 6        
Maximum VLANs                : 25       
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Cut-through Proxy            : Enabled  
Guards                       : Enabled  
URL Filtering                : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : Unlimited

This platform has an Unrestricted (UR) license.

Cisco Employee

Re: Timed Access list on PIX 505E

No, unfortunately there is no way to automatically do clear xlate at 22:01 on the PIX itself.

What can be done is probably writing a script to log into the PIX at 22:01 and issue the clear xlate, however, that would clear xlate for all traffic (not interface specific traffic).

Another possibility is lowering the idle timeout for TCP connection (by default it's an hour) between internal subnet towards outside, so when it's been idle for a shorter period of time, it will clear the connection.

Hope that helps.

New Member

Re: Timed Access list on PIX 505E

Hi halijenn


  Many thanks for the quick response, this is exactly the correct answer and is now obvious to me.



Cisco Employee

Re: Timed Access list on PIX 505E


What kind of devices you have behind the PIX? Do you have any Cisco Switch?

If it is a L3 capable switch, then we could probably use that to implement

the policy.