https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627623#M595171 <HTML><HEAD></HEAD><BODY><P>Thanks a lot Jennifer</P><P></P><P>Enjoy your Journey</P><P></P><P>Regards</P></BODY></HTML> Thu, 06 Jan 2011 10:39:20 GMT zain_gabon 2011-01-06T10:39:20Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627616#M595143 <P>Dear All,</P><P></P><P>i have an ASA installed on my network connected to Internet.</P><P>I have also Windows Active Directory with users created.</P><P>All users connected to Internet at every time</P><P>i want to allowed internet by time and stopped certain users,</P><P>Can ASA do it with AD?</P><P></P><P>How can i do it?</P><P></P><P>Help me</P><P></P><P>Happy New Years</P><P></P><P>Regards</P> Mon, 11 Mar 2019 19:30:57 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627616#M595143 zain_gabon 2019-03-11T19:30:57Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627617#M595150 <HTML><HEAD></HEAD><BODY><P>No, unfortunately you can't integrate ASA with AD for that purpose.</P></BODY></HTML> Thu, 06 Jan 2011 09:23:05 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627617#M595150 Jennifer Halim 2011-01-06T09:23:05Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627618#M595155 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Thanks for the answers,</P><P></P><P>what can i do to stop all users to access Internet any time?</P><P></P><P>Regards</P></BODY></HTML> Thu, 06 Jan 2011 09:36:41 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627618#M595155 zain_gabon 2011-01-06T09:36:41Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627619#M595159 <HTML><HEAD></HEAD><BODY><P>You can create an access-list to stop users from using the Internet, and apply that to the inside interface of the ASA where the users are connected to.</P><P></P><P>Do you just want to stop web browsing traffic to the Internet, and still allow other type of traffic?</P><P></P><P>If you do, then here is a sample config of how you can configure it:</P><P></P><P><STRONG>access-list inside-acl deny tcp <USER-SUBNET> <MASK> any eq 80<BR /></MASK></USER-SUBNET></STRONG></P><P><STRONG>access-list inside-acl deny tcp <USER-SUBNET> <MASK> any eq 443</MASK></USER-SUBNET></STRONG></P><P><STRONG>access-list inside-acl permit ip any any</STRONG></P><P></P><P>If you already have access-list applied to the inside interface, you can just add to the existing ACL. Just make sure that the "deny" line is above the permit line.</P><P></P><P>If you have no access-list applied to the inside interface, then you would need to apply it:</P><P><STRONG>access-group inside-acl in interface inside</STRONG></P><P><BR />Hope that answers your question.</P></BODY></HTML> Thu, 06 Jan 2011 09:43:59 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627619#M595159 Jennifer Halim 2011-01-06T09:43:59Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627620#M595163 <HTML><HEAD></HEAD><BODY><P>Further to that, you can also use the time-range to specify time that you would like user to be blocked or to be permitted from browsing the Internet.</P><P></P><P>You would need to configure the time-range first, then apply that to your access-list line.</P><P></P><P>Here is the command reference for time-range:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1527837">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1527837</A></P><P></P><P>and within the time-range, you would need to configure either "absolute" time or "periodic" time:</P><P><SPAN>absolute: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558494">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558494</A></P><P><SPAN>periodic: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1915163">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1915163</A></P><P></P><P>and apply to the access-list accordingly.</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>For example</STRONG></SPAN>:</P><P>If you would like to allow users to browse the Internet between 13:00-14:00 on weekdays, then you can configure the following:</P><P></P><P><STRONG>time-range internet-time<BR /></STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; periodic weekdays 13:00 to 14:00</STRONG></P><P></P><P><STRONG>access-list inside-acl permit tcp <USER-SUBNET> <MASK> any eq 80 time-range internet-time<BR /></MASK></USER-SUBNET></STRONG></P><P><STRONG>access-list inside-acl permit tcp <USER-SUBNET> <MASK> any eq 443 time-range internet-time<BR /></MASK></USER-SUBNET></STRONG></P></BODY></HTML> Thu, 06 Jan 2011 09:49:26 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627620#M595163 Jennifer Halim 2011-01-06T09:49:26Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627621#M595166 <HTML><HEAD></HEAD><BODY><P>Thanks, Jen,</P><P></P><P>if i apply an ACL on inside interface, i will block all users.</P><P></P><P>i want to only block non important users accessing internet during working hours, and keep internet access to all directors for example</P><P></P><P>regards</P></BODY></HTML> Thu, 06 Jan 2011 10:09:16 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627621#M595166 zain_gabon 2011-01-06T10:09:16Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627622#M595169 <HTML><HEAD></HEAD><BODY><P>Then you would need to configure the user ip addresses, or user subnet in the access-list.</P></BODY></HTML> Thu, 06 Jan 2011 10:26:33 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627622#M595169 Jennifer Halim 2011-01-06T10:26:33Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627623#M595171 <HTML><HEAD></HEAD><BODY><P>Thanks a lot Jennifer</P><P></P><P>Enjoy your Journey</P><P></P><P>Regards</P></BODY></HTML> Thu, 06 Jan 2011 10:39:20 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627623#M595171 zain_gabon 2011-01-06T10:39:20Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627624#M595174 <HTML><HEAD></HEAD><BODY><P>Cheers, pls kindly mark the post as answered if you have no further question. Thank you.</P></BODY></HTML> Thu, 06 Jan 2011 11:10:09 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627624#M595174 Jennifer Halim 2011-01-06T11:10:09Z https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627625#M595178 <HTML><HEAD></HEAD><BODY><P>Sorry Jen,</P><P></P><P>Answers Done</P><P></P><P>Thanks</P></BODY></HTML> Thu, 06 Jan 2011 13:04:01 GMT https://community.cisco.com/t5/network-security/cannot-stopped-users-connect-to-internet-using-asa/m-p/1627625#M595178 zain_gabon 2011-01-06T13:04:01Z