Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
0
Helpful
8
Replies

time acls on ASA ios 7.0

shaila_rox
Level 1
Level 1

‎01-25-2007 11:17 AM - edited ‎03-11-2019 02:24 AM

hi in lab i have ASA 5510 with 7.0,,,

the clock set on my ASA was 22:15:23

i defined a time range

time-range abc

absolute end 22:18 24 jan 2007

now i m using inside ( 10.0.0.0) and outside (20.0.0.0)interfaces. my access list is

access-list 1 permit ip host 20.0.0.1 host 10.0.0.1 time-range abc

access-group 1 in interface outside

now at outside interface i have a pc attached with ip 20.0.0.1, i issued a ping command ping 10.0.0.1 -t and my ping was going successful but when my time expires so ping should also be stopped automatically right ?? but it didnt !! wats the problem is it a bug in ios or i m doing something wrong becoz as far as i know time based acls deny access after defined time but it was not happening in my case plz tell me how to use time acls

Labels:
0 Helpful
8 Replies 8

scheikhnajib
Level 1
Level 1

‎01-26-2007 08:09 AM

Have you tried to stop the ping and start it again just outside your ALLOW time ???

0 Helpful

shaila_rox
Level 1
Level 1
In response to scheikhnajib

‎01-26-2007 11:31 PM

yes it stopped after my allowed time !!! but i think acl should have done it not me, or else wats the use of time acl ??

0 Helpful

Fernando_Meza
Level 7
Level 7

‎01-27-2007 02:51 AM

Hi .. access list checks traffic flow .. meaning that if a connections has been succesfully established .. then the rest of the packets belonging to the already established session will also be allowed. even if you modify the access list to deny a previously allowed connection, will not take effect until that connection has finished or it has been forced to re-established.

In your situation the time range will take effect for NEW attempts after the time range abc has expired.

I hope it helps .. please rate it if it does !!

0 Helpful

shaila_rox
Level 1
Level 1
In response to Fernando_Meza

‎01-27-2007 10:45 AM

then i think that purpose of time acls is failed becoz if it cannot deny the existing connections itself then wats the use ??? wat u think ???

0 Helpful

alanajjar
Level 1
Level 1
In response to shaila_rox

‎01-28-2007 01:05 AM

Hi,

please try to change the access list number to be in the extended range (100-199), you use the standard access list number 1 to define extended access list, hope it will benefit.

0 Helpful

shaila_rox
Level 1
Level 1
In response to alanajjar

‎01-28-2007 01:13 AM

i dont think that really matters but still i will try lets hope it works

0 Helpful

scheikhnajib
Level 1
Level 1
In response to shaila_rox

‎01-28-2007 04:30 AM

Mate,

technically speaking it should be OK for you since PING is a special case traffic. I don't think that you are after stopping PING using a time ACL. If you want to stop HTTP or SMTP for istance, your ACL will be OK and the last connections to be allowed are the ones that are already opened; any new connection will be denied.

Cheers.

0 Helpful

shaila_rox
Level 1
Level 1
In response to scheikhnajib

‎01-28-2007 10:26 AM

so wats the use then ??? time acl should take action when the time expires right ? wats the use if there are any existing connections remained opened.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card