topic I would agree with both in Network Security

Cisco ASA vs. Time-based ACL

Burgundy Burgundy — Tue, 12 Mar 2019 08:50:44 GMT

Hi everyone,

I'm using ACLs on a Cisco ASA 5512 to block Internet access to some hosts on my network during working hours and only allowing it during breaks.

The problem is that after the break, users still can browse facebook and stream radio stations. Other websites are blocked.

It takes a reboot (host's machine) to get facebook blocked again.

How can I resolve this issue?

Thanks.

clea xlate

Tagir Temirgaliyev — Fri, 27 Jan 2017 11:29:38 GMT

clea xlate

after brake

do you use time-range in ACL ? or http inspet ?

Hi Tagir,

Burgundy Burgundy — Fri, 27 Jan 2017 11:37:29 GMT

Hi Tagir,

Yes I use time ranges in ACL.

Do I have to manually clear xlate every time?

Hi Burgundy,

Pulkit Saxena — Fri, 27 Jan 2017 12:43:13 GMT

Hi Burgundy,

Pretty good query, tried looking for the answer but it seems that for now, as per the packet flow, the ACL will not kick in if we have an established session. So the user goes through.

Thus, as Tagir mentioned, "clear xlate" is an option, however that can also clear valid xlates.

Let me check further on this, give me a day or two and I will revert.

Pulkit

Please rate helpful posts.

Hi Pulkit,

Burgundy Burgundy — Fri, 27 Jan 2017 12:51:00 GMT

Hi Pulkit,

Thanks, I'd appreciate your help on that.

I would agree with both

Ajay Saini — Fri, 27 Jan 2017 13:15:45 GMT

I would agree with both Pulkit and Tagir. Just that instead of clear xlate, you might want to use clear local-host since there might be hosts having static translation.

In my opinion, unless there is an enhancement or you might want to run a script, I would say this task has to be done manually everytime:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

I tried clear local-host, it

Burgundy Burgundy — Mon, 06 Feb 2017 19:35:31 GMT

I tried clear local-host, it resolves the facebook issue.

However it doesn't clear youtube established connections. I also tried clear xlate and clear conn... same thing.

Could you please send the

Ajay Saini — Tue, 07 Feb 2017 14:41:36 GMT

Could you please send the below outputs"

clear the connections for a specifc inside user:

clear local-host x.x.x.x

show xl | in x.x.x.x

show conn | in x.x.x.x

also, attach a packet-tracer output which will indicate if a connection is allowed.

Unless the end user is taking some other source ip address, the initial workaround should work. Please attach the outputs and we can see whats happening.

Ok, I will do that.

Burgundy Burgundy — Tue, 07 Feb 2017 14:54:34 GMT

Ok, I will do that.

I want to add something though, I think it's an issue with websites using QUIC protocol. I see udp connections to facebook and youtube that are not affected by the clear local-host command.

Hi,

Pulkit Saxena — Tue, 07 Feb 2017 15:05:52 GMT

Hi,

Apologies for the delay here. I checked and confirm that the time range ACL's are like any normal ACL's to prevent the session from being built. Once the session is built, the time range ACL's and normal ACL's are irrelevant. Even if you remove the ACL , the session will still to be up and running as long as there is traffic. Just that no new sessions can be formed. The same thing holds good for Time range ACL's. Once the timer expires, no new session will form but the existing session will be up and running till the traffic is there.

Pulkit

"clear local-host x.x.x.x"

Pulkit Saxena — Tue, 07 Feb 2017 15:12:07 GMT

"clear local-host x.x.x.x" should clear all the connections for that IP. It seems that in your case, maybe when connections are made using quick protocol it is using some other ACL or policy. And I believe we are "clear local-host" for the source IP.

Please share the output's that Ajay has asked, maybe we could find something additional.

Pulkit