Solved: Cannot stopped users connect to Internet Using ASA

zain_gabon · ‎01-06-2011

Dear All,

i have an ASA installed on my network connected to Internet.

I have also Windows Active Directory with users created.

All users connected to Internet at every time

i want to allowed internet by time and stopped certain users,

Can ASA do it with AD?

How can i do it?

Help me

Happy New Years

Regards

Jennifer Halim · ‎01-06-2011

No, unfortunately you can't integrate ASA with AD for that purpose.

View solution in original post

Jennifer Halim · ‎01-06-2011

You can create an access-list to stop users from using the Internet, and apply that to the inside interface of the ASA where the users are connected to.

Do you just want to stop web browsing traffic to the Internet, and still allow other type of traffic?

If you do, then here is a sample config of how you can configure it:

access-list inside-acl deny tcp any eq 80

access-list inside-acl deny tcp any eq 443

access-list inside-acl permit ip any any

If you already have access-list applied to the inside interface, you can just add to the existing ACL. Just make sure that the "deny" line is above the permit line.

If you have no access-list applied to the inside interface, then you would need to apply it:

access-group inside-acl in interface inside

Hope that answers your question.

View solution in original post

Jennifer Halim · ‎01-06-2011

Further to that, you can also use the time-range to specify time that you would like user to be blocked or to be permitted from browsing the Internet.

You would need to configure the time-range first, then apply that to your access-list line.

Here is the command reference for time-range:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1527837

and within the time-range, you would need to configure either "absolute" time or "periodic" time:

absolute: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558494

periodic: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1915163

and apply to the access-list accordingly.

For example:

If you would like to allow users to browse the Internet between 13:00-14:00 on weekdays, then you can configure the following:

time-range internet-time

periodic weekdays 13:00 to 14:00

access-list inside-acl permit tcp any eq 80 time-range internet-time

access-list inside-acl permit tcp any eq 443 time-range internet-time

View solution in original post

Jennifer Halim · ‎01-06-2011

Then you would need to configure the user ip addresses, or user subnet in the access-list.

View solution in original post

Jennifer Halim · ‎01-06-2011

Cheers, pls kindly mark the post as answered if you have no further question. Thank you.

View solution in original post

Jennifer Halim · ‎01-06-2011

No, unfortunately you can't integrate ASA with AD for that purpose.

zain_gabon · ‎01-06-2011

Hello,

Thanks for the answers,

what can i do to stop all users to access Internet any time?

Regards

Jennifer Halim · ‎01-06-2011

You can create an access-list to stop users from using the Internet, and apply that to the inside interface of the ASA where the users are connected to.

Do you just want to stop web browsing traffic to the Internet, and still allow other type of traffic?

If you do, then here is a sample config of how you can configure it:

access-list inside-acl deny tcp any eq 80

access-list inside-acl deny tcp any eq 443

access-list inside-acl permit ip any any

If you already have access-list applied to the inside interface, you can just add to the existing ACL. Just make sure that the "deny" line is above the permit line.

If you have no access-list applied to the inside interface, then you would need to apply it:

access-group inside-acl in interface inside

Hope that answers your question.

Jennifer Halim · ‎01-06-2011

Further to that, you can also use the time-range to specify time that you would like user to be blocked or to be permitted from browsing the Internet.

You would need to configure the time-range first, then apply that to your access-list line.

Here is the command reference for time-range:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1527837

and within the time-range, you would need to configure either "absolute" time or "periodic" time:

absolute: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558494

periodic: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1915163

and apply to the access-list accordingly.

For example:

If you would like to allow users to browse the Internet between 13:00-14:00 on weekdays, then you can configure the following:

time-range internet-time

periodic weekdays 13:00 to 14:00

access-list inside-acl permit tcp any eq 80 time-range internet-time

access-list inside-acl permit tcp any eq 443 time-range internet-time

zain_gabon · ‎01-06-2011

Thanks, Jen,

if i apply an ACL on inside interface, i will block all users.

i want to only block non important users accessing internet during working hours, and keep internet access to all directors for example

regards

Jennifer Halim · ‎01-06-2011

Then you would need to configure the user ip addresses, or user subnet in the access-list.

zain_gabon · ‎01-06-2011

Thanks a lot Jennifer

Enjoy your Journey

Regards

Jennifer Halim · ‎01-06-2011

Cheers, pls kindly mark the post as answered if you have no further question. Thank you.

zain_gabon · ‎01-06-2011

Sorry Jen,

Answers Done

Thanks