Hi Kusankar.

I know about the clear xlate, but I haven't been able to implement it in the MPF config.

Is there a way to do that?

Regards,

Jon A.

Nope. You cannot. clear xlate or clear local is the only way.

-KS

OH NO!!

The time range I'm supposed to use kickes in several times and different times avery day trough out the week.

Any other ideas on how to do this without having to log in and type the command manually?

Jon

Well in that case. Just pick a time in the middle of the night when the load is light and put the MPF in place and issue

"clear xlate". This will clear all translations through the box but these will quickly re-establish and on one will even find out.

-KS

OK, let me describe the problem in another way.

The users are supposed to be allowed to use msn on monday 10am to 11am and 1pm to 3pm, on tuesday 9am to 10am, 1pm to 2pm and 5pm to 8pm.

And since I'm not around all the time to issue the clear xlate i was hoping to use an ACL and MPF with a time range. But since the users can continue the chat they have active when the time comes I do have a problem.

I'm pulling my hair on this....

Jon

Jon,

You really need a tool like websense/n2h2. The last I checked it a few years ago when I was outside of Cisco it was pretty pricy about $20 a seat.

You can contol 5 min. of ebay during lunch time and 15 min. chess on yahoo and get a detailed report of the users browsing data if needed.

-KS

Hi.

I could use websense, but that would just give me the same result. When the connection is already established websense do not disconnect it.

The way aossipov describes would be a better way then.

But I cant say I'm satisfied with this. There must be a way to control this on the FW. This is Cisco for Gods sake :-))) I know that on a Juniper box all connections are dropped when an acl is disabled. I must find a way to to it on my Cisco box to...I must

Jon

Jon,

Websense would defenitely work for you.  Every get request will be sent over to the websense server whether or not you have an established connection in the table.  I think you should get a 30 day trial and test it out.  I was very impressed when we tested it 3 years ago.

-KS

Cool, I did not know that. I will try websense

as soon as possible.

Cheers for your help :-)

Jon A.

It would only work for MSNP tunnelled through HTTP which is the non-default behavior. By default, the standalone client connects to the server at port TCP/1863 and does not use HTTP.

Andrew

Hi.

That was also something to think about. The websense integration with ASA only filters http. It might work with websense gateway. The other and the biggest problem with websense is the pricing. I have to solve this without spending to much money.

So I guess the expect-script Aossipov mentioned would be the best solution. Could you point me in the right direction Aossipov? I have serched for expect-script an found a lot of samples, but I haven't found the program for it. I hope you can help me with this.

Jon

Hello Jon,

At a very rudimentary level, here's something that would clear all connections involving port 1863 (10.1.1.1 is the ASA management IP, 'username' is the user and 'password' is their password, and 'enable_password' is the enable):

#!/usr/local/bin/expect -f

set send_slow {5 0.005}
spawn ssh2 -c 3des -l username 10.1.1.1
set SSH $spawn_id
set timeout 3
expect {
        "to continue connecting" {
                send "yes\n"}
        timeout {}}
expect "ssword:"
send -s "password\n"
expect "ASA>"
send -s "en\n"
expect "ssword:"
send -s "enable_password\n"
expect "ASA#"
send -s "clear conn port 1863\n"
expect "ASA#"
send "logout\n"
catch "close -i $SSH"
catch "wait -i $SSH"
exit

Andrew