06-02-2009 12:28 PM
Client is requesting to allow VPN from 05:00am to 23:59pm. How can we ensure all VPN connections will be dropped at midnight?
Using the two in the title, it appears connections will be blocked outside of the time range, but old connections are not terminated. If i were to connect at 11:30, I could remain connected all night which is a problem. Thanks in advance!
06-03-2009 12:47 AM
What you might try is creating a timed ACL, permitting traffic from the remote VPN IP subnet into the internal network.
When the time goes over - the acl will be disabled, and traffic in theory would be dropped. The user would still be connected - but they would not be able to do anything.
HTH>
06-04-2009 10:39 AM
So, the ACL should be applied to the inside interface, not the actual ACL that defines the interesting traffic.. ?
The ACL on the inside is a permit any any. The local subnet is 10.X.X.X and the VPN remote subnet is 172.16.X.X. So i would need something like..
acl inside permit ip 172.16.X.X mask 10.X.X.X mask time-range VPNHOURS
acl inside deny ip 172.16.X.X mask 10.X.X.X mask
acl inside permit ip any any
06-04-2009 10:56 AM
That's correct - and you would apply it to the inside interface outbound, going onto the LAN the inside interface is connected to.
HTH>
06-04-2009 10:59 AM
Im testing with it right now.. it does not seem to be working. Neither a permit statement w/ time-range, followed by a deny and then the permit ip any any
or
a deny statement with the time-range, followed by a permit ip any any. this is also being used for remote access vpn. so even though the traffic is on the inside interface, the ASA has a route pointing to the outside interface.
i tried applying the ACL on the outside as well with no luck.
edit
this should help.. the ACL is active, but traffic is not being denied on the inside.
access-list inside1 line 1 extended deny ip any 172.16.31.0 255.255.255.0 time-range VPNHOURS (hitcnt=0) 0x5f2add1d
access-list inside1 line 2 extended deny ip 172.16.31.0 255.255.255.0 any time-range VPNHOURS (hitcnt=0) 0x2c5dec03
access-list inside1 line 3 extended permit ip any any (hitcnt=388) 0xb93b6806
edit again.. just in case.. i also have the following configured.
no sysopt connection permit-vpn
access-group inside1 in interface inside
06-04-2009 11:07 AM
Check you have the correct remote IP subnet configured.
Check you have the acl attached to the correct interface in the correct destination.
06-04-2009 11:20 AM
the subnet is correct, not sure why that isnt working out. currently experimenting with the vpn-filter command in the group-policy, which also isn't working out the greatest..
took out the time-range stuff for now, now that i'm on this filter command.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide