topic time acls on ASA ios 7.0 in Network Security

time acls on ASA ios 7.0

shaila_rox — Mon, 11 Mar 2019 09:24:40 GMT

hi in lab i have ASA 5510 with 7.0,,,

the clock set on my ASA was 22:15:23

i defined a time range

time-range abc

absolute end 22:18 24 jan 2007

now i m using inside ( 10.0.0.0) and outside (20.0.0.0)interfaces. my access list is

access-list 1 permit ip host 20.0.0.1 host 10.0.0.1 time-range abc

access-group 1 in interface outside

now at outside interface i have a pc attached with ip 20.0.0.1, i issued a ping command ping 10.0.0.1 -t and my ping was going successful but when my time expires so ping should also be stopped automatically right ?? but it didnt !! wats the problem is it a bug in ios or i m doing something wrong becoz as far as i know time based acls deny access after defined time but it was not happening in my case plz tell me how to use time acls

Re: time acls on ASA ios 7.0

scheikhnajib — Fri, 26 Jan 2007 16:09:15 GMT

Have you tried to stop the ping and start it again just outside your ALLOW time ???

Re: time acls on ASA ios 7.0

shaila_rox — Sat, 27 Jan 2007 07:31:28 GMT

yes it stopped after my allowed time !!! but i think acl should have done it not me, or else wats the use of time acl ??

Re: time acls on ASA ios 7.0

Fernando_Meza — Sat, 27 Jan 2007 10:51:17 GMT

Hi .. access list checks traffic flow .. meaning that if a connections has been succesfully established .. then the rest of the packets belonging to the already established session will also be allowed. even if you modify the access list to deny a previously allowed connection, will not take effect until that connection has finished or it has been forced to re-established.

In your situation the time range will take effect for NEW attempts after the time range abc has expired.

I hope it helps .. please rate it if it does !!

Re: time acls on ASA ios 7.0

shaila_rox — Sat, 27 Jan 2007 18:45:18 GMT

then i think that purpose of time acls is failed becoz if it cannot deny the existing connections itself then wats the use ??? wat u think ???

Re: time acls on ASA ios 7.0

alanajjar — Sun, 28 Jan 2007 09:05:09 GMT

Hi,

please try to change the access list number to be in the extended range (100-199), you use the standard access list number 1 to define extended access list, hope it will benefit.

Re: time acls on ASA ios 7.0

shaila_rox — Sun, 28 Jan 2007 09:13:37 GMT

i dont think that really matters but still i will try lets hope it works

Re: time acls on ASA ios 7.0

scheikhnajib — Sun, 28 Jan 2007 12:30:44 GMT

Mate,

technically speaking it should be OK for you since PING is a special case traffic. I don't think that you are after stopping PING using a time ACL. If you want to stop HTTP or SMTP for istance, your ACL will be OK and the last connections to be allowed are the ones that are already opened; any new connection will be denied.

Cheers.

Re: time acls on ASA ios 7.0

shaila_rox — Sun, 28 Jan 2007 18:26:26 GMT

so wats the use then ??? time acl should take action when the time expires right ? wats the use if there are any existing connections remained opened.