https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367371#M962013 <P>Hello,</P> <P>&nbsp;</P> <P>I am trying to use a timerange to setup a any any block on my inside interface. This appears to work pretty well as when the time starts it is not possible to start a new connection. However existing connections appear to not get dropped.&nbsp; For instance a secure connection to out netscalers at work (from my home) will stay functional.&nbsp; What am I missing? or what do I need to do to terminate these existing connections?</P> <P>&nbsp;</P> <P>Thnks for your help!!</P> Fri, 21 Feb 2020 15:38:33 GMT paddy.d 2020-02-21T15:38:33Z https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367371#M962013 <P>Hello,</P> <P>&nbsp;</P> <P>I am trying to use a timerange to setup a any any block on my inside interface. This appears to work pretty well as when the time starts it is not possible to start a new connection. However existing connections appear to not get dropped.&nbsp; For instance a secure connection to out netscalers at work (from my home) will stay functional.&nbsp; What am I missing? or what do I need to do to terminate these existing connections?</P> <P>&nbsp;</P> <P>Thnks for your help!!</P> Fri, 21 Feb 2020 15:38:33 GMT https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367371#M962013 paddy.d 2020-02-21T15:38:33Z https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367837#M962015 <P>Hello,</P> <P>&nbsp;</P> <P>Adding a deny access rule only blocks the new connections that will be initiated, it does not drop any existing connections. Thats the way ASA is designed, for existing connections, interface acl check is bypassed. Only when you clear the connections, this new time based acl will come into effect for all the connections.</P> <P>&nbsp;</P> <P>clear conn will do the needful but that is a manual step, maybe you can try a EEM script to add the clear conn command then followed by the time based acl addition. We have to make sure that there not much time difference between clear conn and acl addition else the connection initiated between this time will survive the acl.</P> <P>&nbsp;</P> <P>Similar discussion:</P> <P>&nbsp;</P> <P><A href="https://supportforums.cisco.com/t5/firewalling/asa5520-acl-established-connections-problem/td-p/1874604" target="_blank">https://supportforums.cisco.com/t5/firewalling/asa5520-acl-established-connections-problem/td-p/1874604</A></P> <P>&nbsp;</P> <P>EEM script:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html</A></P> <P>&nbsp;</P> <P>Please rate helpful posts.</P> <P>&nbsp;</P> <P>HTH</P> <P>AJ</P> Wed, 18 Apr 2018 05:48:29 GMT https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367837#M962015 Ajay Saini 2018-04-18T05:48:29Z https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367939#M962017 <P>Thanks for the explanation!</P> <P>&nbsp;</P> <P>I guess it saves a lot of processing to do it this way and that is better for for the performance en throughput.&nbsp; I will have a go with eem.&nbsp; I have not used that before so should be interesting.</P> <P>&nbsp;</P> <P>Thanks again</P> <P>&nbsp;</P> <P>Patrick</P> Wed, 18 Apr 2018 08:57:56 GMT https://community.cisco.com/t5/network-security/use-time-range-to-activate-rules/m-p/3367939#M962017 paddy.d 2018-04-18T08:57:56Z