ASA connections

shaila_rox · ‎12-29-2006

i m confused abt the connections formed in ASA,, like even if i remove access-list completely still the previous connections are still there, if i want the new configuration to take place i have to clear all the connections !!! dont u think its a great flaw in ASA ?? or is there any solution to it, i m surprised why no 1 noticed it plz reply

jmayes · ‎01-01-2007

Once the connection is approved be rules in effect when the rule began, the session is permitted and inspected for other violations (but to re-approve every session at each new packet transfer would be a prohibitive overhead with thousands of simultaneous connections).

You are taking the proper steps to rewrite the rule and ten independently decide if current sessions should be dropped.

shaila_rox · ‎01-02-2007

but u see if i m implementing time based acls they r not giving the desired result, eg. i want a web server to be accesesd from 6:00 pm to 9:00 pm and i defined an time based acl for tht but even the time expires the connection already made r still active so whts the use of time based acls in this situation when i have to manually dc them all ???

cpembleton · ‎01-03-2007

You don't need to clear all the conns. Do "clear xlate ?" and you'll see many options to clear specific global or local ip's or ranges of ip's. Just clear the xlates for your web server for the new ACL's to take affect.

Hope this helps!

Chad

Please rate if this helps!

Richard Burts · ‎01-03-2007

I believe the original poster is assuming that the time based access lists are working the way that access lists work on a router where it examines individual data packets and permits or denies individual data packets. With a time based access list you could permit access to certain server addresses for specific periods of time and at other times the traffic would be denied.

But in the ASA/PIX the access list is not really looking at individual packets (as a previous post pointed out) but the access list is being used to permit connections to be made. Once the connection is made it will work until the translate times out.

One suggestion to get closer to what the original poster wants to do would be to change the timeout xlate. If you set the timeout to some fairly short period (instead of the default of 3 hours) the connections would time out more quickly and then would have to establish again. It would still not be precise in what time connections would stop working. And it might have some impact on user sessions if they are timing out and re-establishing again. But if the original poster wants to control access by time this is as close as I can come to something that will do what he wants.

HTH

Rick

HTH

Rick

shaila_rox · ‎01-12-2007

i really appreciate ur reply Rick, ok i have 2 questions so plz reply for them also, first if i m not using natting then how my problem will be solved becoz in this case there will not be any clear xlate command, i know this is not very much practical in real life but still plz tell me, and second thing i wanted to say is that ok i agree ASA looks for the connections but when i m applying a new rule why dont it immediately takes affect ?? whts the logic behind it, actually i m working in a institute n this questions arises very often, can u plz tell me