https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996224#M916493 <HTML><HEAD></HEAD><BODY><P>What do you mean by this?</P><P></P><P>"I tried to put the rule in but it wiped out the default rules so I reverted it real fast."</P><P></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 18 Jul 2008 12:07:39 GMT Farrukh Haroon 2008-07-18T12:07:39Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996222#M916481 <P>I am looking to block internet access for some of our hosts during specific time periods. I would like to block it by IP since I can make sure they always get the same IP with DHCP reservations. </P><P></P><P>I tried to put the rule in but it wiped out the default rules so I reverted it real fast. </P><P></P><P>Thanks for any help or guidance on this.</P> Mon, 11 Mar 2019 13:16:25 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996222#M916481 robertgile1 2019-03-11T13:16:25Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996223#M916485 <HTML><HEAD></HEAD><BODY><P>Suppose youwant to block WEB access for IP x.x.x.x from 9am to 6pm on weekdays.</P><P></P><P>- first create a time-range</P><P>myPix(config)#time-range biz_time</P><P>myPIX(config-time-range)#periodic weekdays 09:00 to 18:00</P><P></P><P>- then use the time-range in the access-list</P><P>- Suppose your existing access-list on the inside interface is 101, then</P><P></P><P>access-list 101 line 1 deny tcp host x.x.x.x any eq 80 time-range biz_time</P><P>access-list 101 line 2 deny tcp host x.x.x.x any eq 443 time-range biz_time</P><P></P><P></P><P>Hope this helps.</P></BODY></HTML> Fri, 18 Jul 2008 04:07:00 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996223#M916485 dhananjoy chowdhury 2008-07-18T04:07:00Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996224#M916493 <HTML><HEAD></HEAD><BODY><P>What do you mean by this?</P><P></P><P>"I tried to put the rule in but it wiped out the default rules so I reverted it real fast."</P><P></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 18 Jul 2008 12:07:39 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996224#M916493 Farrukh Haroon 2008-07-18T12:07:39Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996225#M916500 <HTML><HEAD></HEAD><BODY><P>I was using the ASDM and as soon as I put a rule on the inside interface, it wiped out the default rules to allow outbound traffic. </P></BODY></HTML> Fri, 18 Jul 2008 12:15:20 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996225#M916500 robertgile1 2008-07-18T12:15:20Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996226#M916510 <HTML><HEAD></HEAD><BODY><P>I'll give this a try this weekend. Now I would apply this on my inside interface, right?</P></BODY></HTML> Fri, 18 Jul 2008 12:16:19 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996226#M916510 robertgile1 2008-07-18T12:16:19Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996227#M916516 <HTML><HEAD></HEAD><BODY><P>That is OK, by default all 'higher' to 'lower' security communication is enabled. But once you apply your own ACL that rule goes away (as now your applied ACL has implicit deny ip any any at the end). </P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 18 Jul 2008 13:09:37 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996227#M916516 Farrukh Haroon 2008-07-18T13:09:37Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996228#M916522 <HTML><HEAD></HEAD><BODY><P>So I will have to explicitly permit other traffic out right?</P><P></P><P>something like this: [just free hand and in no way meant to be actual commands]</P><P>access-list 100</P><P>deny 192.168.0.10 based on this_time_rule</P><P>permit any to any less secure network</P></BODY></HTML> Fri, 18 Jul 2008 13:36:05 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996228#M916522 robertgile1 2008-07-18T13:36:05Z https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996229#M916527 <HTML><HEAD></HEAD><BODY><P>Yes robert, once you 'Deny' the undesired flows, you have to permit the rest.</P><P></P><P>Perhaps a better approach would be:</P><P></P><P>deny 192.168.0.10 based on this_time_rule </P><P>permit ip <LAN subnet=""> any</LAN></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 18 Jul 2008 14:15:18 GMT https://community.cisco.com/t5/network-security/asa-firewall-rule-time-based/m-p/996229#M916527 Farrukh Haroon 2008-07-18T14:15:18Z