Cisco ASA vs. Time-based ACL

Burgundy Burgundy · ‎01-27-2017

Hi everyone,

I'm using ACLs on a Cisco ASA 5512 to block Internet access to some hosts on my network during working hours and only allowing it during breaks.

The problem is that after the break, users still can browse facebook and stream radio stations. Other websites are blocked.

It takes a reboot (host's machine) to get facebook blocked again.

How can I resolve this issue?

Thanks.

Tagir Temirgaliyev · ‎01-27-2017

clea xlate

after brake

do you use time-range in ACL ? or http inspet ?

Burgundy Burgundy · ‎01-27-2017

Hi Tagir,

Yes I use time ranges in ACL.

Do I have to manually clear xlate every time?

Pulkit Saxena · ‎01-27-2017

Hi Burgundy,

Pretty good query, tried looking for the answer but it seems that for now, as per the packet flow, the ACL will not kick in if we have an established session. So the user goes through.

Thus, as Tagir mentioned, "clear xlate" is an option, however that can also clear valid xlates.

Let me check further on this, give me a day or two and I will revert.

-

Pulkit

Please rate helpful posts.

Burgundy Burgundy · ‎01-27-2017

Hi Pulkit,

Thanks, I'd appreciate your help on that.

Pulkit Saxena · ‎02-07-2017

Hi,

Apologies for the delay here. I checked and confirm that the time range ACL's are like any normal ACL's to prevent the session from being built. Once the session is built, the time range ACL's and normal ACL's are irrelevant. Even if you remove the ACL , the session will still to be up and running as long as there is traffic. Just that no new sessions can be formed. The same thing holds good for Time range ACL's. Once the timer expires, no new session will form but the existing session will be up and running till the traffic is there.

-

Pulkit

Ajay Saini · ‎01-27-2017

I would agree with both Pulkit and Tagir. Just that instead of clear xlate, you might want to use clear local-host since there might be hosts having static translation.

In my opinion, unless there is an enhancement or you might want to run a script, I would say this task has to be done manually everytime:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

-

AJ

Burgundy Burgundy · ‎02-06-2017

I tried clear local-host, it resolves the facebook issue.

However it doesn't clear youtube established connections. I also tried clear xlate and clear conn... same thing.

Ajay Saini · ‎02-07-2017

Could you please send the below outputs"

clear the connections for a specifc inside user:

clear local-host x.x.x.x

show xl | in x.x.x.x

show conn | in x.x.x.x

also, attach a packet-tracer output which will indicate if a connection is allowed.

Unless the end user is taking some other source ip address, the initial workaround should work. Please attach the outputs and we can see whats happening.

Burgundy Burgundy · ‎02-07-2017

Ok, I will do that.

I want to add something though, I think it's an issue with websites using QUIC protocol. I see udp connections to facebook and youtube that are not affected by the clear local-host command.

Pulkit Saxena · ‎02-07-2017

"clear local-host x.x.x.x" should clear all the connections for that IP. It seems that in your case, maybe when connections are made using quick protocol it is using some other ACL or policy. And I believe we are "clear local-host" for the source IP.

Please share the output's that Ajay has asked, maybe we could find something additional.

-

Pulkit