Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA5500 time-range vpn-access-hours

Client is requesting to allow VPN from 05:00am to 23:59pm. How can we ensure all VPN connections will be dropped at midnight?

Using the two in the title, it appears connections will be blocked outside of the time range, but old connections are not terminated. If i were to connect at 11:30, I could remain connected all night which is a problem. Thanks in advance!


Re: ASA5500 time-range vpn-access-hours

What you might try is creating a timed ACL, permitting traffic from the remote VPN IP subnet into the internal network.

When the time goes over - the acl will be disabled, and traffic in theory would be dropped. The user would still be connected - but they would not be able to do anything.


Community Member

Re: ASA5500 time-range vpn-access-hours

So, the ACL should be applied to the inside interface, not the actual ACL that defines the interesting traffic.. ?

The ACL on the inside is a permit any any. The local subnet is 10.X.X.X and the VPN remote subnet is 172.16.X.X. So i would need something like..

acl inside permit ip 172.16.X.X mask 10.X.X.X mask time-range VPNHOURS

acl inside deny ip 172.16.X.X mask 10.X.X.X mask

acl inside permit ip any any

Re: ASA5500 time-range vpn-access-hours

That's correct - and you would apply it to the inside interface outbound, going onto the LAN the inside interface is connected to.


Community Member

Re: ASA5500 time-range vpn-access-hours

Im testing with it right now.. it does not seem to be working. Neither a permit statement w/ time-range, followed by a deny and then the permit ip any any


a deny statement with the time-range, followed by a permit ip any any. this is also being used for remote access vpn. so even though the traffic is on the inside interface, the ASA has a route pointing to the outside interface.

i tried applying the ACL on the outside as well with no luck.


this should help.. the ACL is active, but traffic is not being denied on the inside.

access-list inside1 line 1 extended deny ip any time-range VPNHOURS (hitcnt=0) 0x5f2add1d

access-list inside1 line 2 extended deny ip any time-range VPNHOURS (hitcnt=0) 0x2c5dec03

access-list inside1 line 3 extended permit ip any any (hitcnt=388) 0xb93b6806

edit again.. just in case.. i also have the following configured.

no sysopt connection permit-vpn

access-group inside1 in interface inside

Re: ASA5500 time-range vpn-access-hours

Check you have the correct remote IP subnet configured.

Check you have the acl attached to the correct interface in the correct destination.

Community Member

Re: ASA5500 time-range vpn-access-hours

the subnet is correct, not sure why that isnt working out. currently experimenting with the vpn-filter command in the group-policy, which also isn't working out the greatest..

took out the time-range stuff for now, now that i'm on this filter command.

CreatePlease to create content