Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
5
Helpful
2
Replies

Use time range to activate rules

Go to solution
paddy.d
Level 1
Level 1

‎04-17-2018 07:16 AM - edited ‎02-21-2020 07:38 AM

Hello,

 

I am trying to use a timerange to setup a any any block on my inside interface. This appears to work pretty well as when the time starts it is not possible to start a new connection. However existing connections appear to not get dropped.  For instance a secure connection to out netscalers at work (from my home) will stay functional.  What am I missing? or what do I need to do to terminate these existing connections?

 

Thnks for your help!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎04-17-2018 10:48 PM

Hello,

 

Adding a deny access rule only blocks the new connections that will be initiated, it does not drop any existing connections. Thats the way ASA is designed, for existing connections, interface acl check is bypassed. Only when you clear the connections, this new time based acl will come into effect for all the connections.

 

clear conn will do the needful but that is a manual step, maybe you can try a EEM script to add the clear conn command then followed by the time based acl addition. We have to make sure that there not much time difference between clear conn and acl addition else the connection initiated between this time will survive the acl.

 

Similar discussion:

 

https://supportforums.cisco.com/t5/firewalling/asa5520-acl-established-connections-problem/td-p/1874604

 

EEM script:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

 

Please rate helpful posts.

 

HTH

AJ

View solution in original post

2 Replies 2

Go to solution
Ajay Saini
Level 7
Level 7

‎04-17-2018 10:48 PM

Hello,

 

Adding a deny access rule only blocks the new connections that will be initiated, it does not drop any existing connections. Thats the way ASA is designed, for existing connections, interface acl check is bypassed. Only when you clear the connections, this new time based acl will come into effect for all the connections.

 

clear conn will do the needful but that is a manual step, maybe you can try a EEM script to add the clear conn command then followed by the time based acl addition. We have to make sure that there not much time difference between clear conn and acl addition else the connection initiated between this time will survive the acl.

 

Similar discussion:

 

https://supportforums.cisco.com/t5/firewalling/asa5520-acl-established-connections-problem/td-p/1874604

 

EEM script:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117883-config-eem-00.html

 

Please rate helpful posts.

 

HTH

AJ

Go to solution
paddy.d
Level 1
Level 1
In response to Ajay Saini

‎04-18-2018 01:57 AM

Thanks for the explanation!

 

I guess it saves a lot of processing to do it this way and that is better for for the performance en throughput.  I will have a go with eem.  I have not used that before so should be interesting.

 

Thanks again

 

Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card