cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
942
Views
0
Helpful
9
Replies

Cannot stopped users connect to Internet Using ASA

zain_gabon
Level 1
Level 1

Dear All,

i have an ASA installed on my network connected to Internet.

I have also Windows Active Directory with users created.

All users connected to Internet at every time

i want to allowed internet by time and stopped certain users,

Can ASA do it with AD?

How can i do it?

Help me

Happy New Years

Regards

5 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

No, unfortunately you can't integrate ASA with AD for that purpose.

View solution in original post

You can create an access-list to stop users from using the Internet, and apply that to the inside interface of the ASA where the users are connected to.

Do you just want to stop web browsing traffic to the Internet, and still allow other type of traffic?

If you do, then here is a sample config of how you can configure it:

access-list inside-acl deny tcp any eq 80

access-list inside-acl deny tcp any eq 443

access-list inside-acl permit ip any any

If you already have access-list applied to the inside interface, you can just add to the existing ACL. Just make sure that the "deny" line is above the permit line.

If you have no access-list applied to the inside interface, then you would need to apply it:

access-group inside-acl in interface inside


Hope that answers your question.

View solution in original post

Further to that, you can also use the time-range to specify time that you would like user to be blocked or to be permitted from browsing the Internet.

You would need to configure the time-range first, then apply that to your access-list line.

Here is the command reference for time-range:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1527837

and within the time-range, you would need to configure either "absolute" time or "periodic" time:

absolute: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558494

periodic: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1915163

and apply to the access-list accordingly.

For example:

If you would like to allow users to browse the Internet between 13:00-14:00 on weekdays, then you can configure the following:

time-range internet-time

     periodic weekdays 13:00 to 14:00

access-list inside-acl permit tcp any eq 80 time-range internet-time

access-list inside-acl permit tcp any eq 443 time-range internet-time

View solution in original post

Then you would need to configure the user ip addresses, or user subnet in the access-list.

View solution in original post

Cheers, pls kindly mark the post as answered if you have no further question. Thank you.

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

No, unfortunately you can't integrate ASA with AD for that purpose.

Hello,

Thanks for the answers,

what can i do to stop all users to access Internet any time?

Regards

You can create an access-list to stop users from using the Internet, and apply that to the inside interface of the ASA where the users are connected to.

Do you just want to stop web browsing traffic to the Internet, and still allow other type of traffic?

If you do, then here is a sample config of how you can configure it:

access-list inside-acl deny tcp any eq 80

access-list inside-acl deny tcp any eq 443

access-list inside-acl permit ip any any

If you already have access-list applied to the inside interface, you can just add to the existing ACL. Just make sure that the "deny" line is above the permit line.

If you have no access-list applied to the inside interface, then you would need to apply it:

access-group inside-acl in interface inside


Hope that answers your question.

Further to that, you can also use the time-range to specify time that you would like user to be blocked or to be permitted from browsing the Internet.

You would need to configure the time-range first, then apply that to your access-list line.

Here is the command reference for time-range:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/t.html#wp1527837

and within the time-range, you would need to configure either "absolute" time or "periodic" time:

absolute: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1558494

periodic: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1915163

and apply to the access-list accordingly.

For example:

If you would like to allow users to browse the Internet between 13:00-14:00 on weekdays, then you can configure the following:

time-range internet-time

     periodic weekdays 13:00 to 14:00

access-list inside-acl permit tcp any eq 80 time-range internet-time

access-list inside-acl permit tcp any eq 443 time-range internet-time

Thanks, Jen,

if i apply an ACL on inside interface, i will block all users.

i want to only block non important users accessing internet during working hours, and keep internet access to all directors for example

regards

Then you would need to configure the user ip addresses, or user subnet in the access-list.

Thanks a lot Jennifer

Enjoy your Journey

Regards

Cheers, pls kindly mark the post as answered if you have no further question. Thank you.

Sorry Jen,

Answers Done

Thanks

Review Cisco Networking for a $25 gift card