4.Cisco ASA Time Based Access-List



The Cisco ASA firewall supports time based access-lists. Simply said, for each entry that you configure you can specify it to be valid only during a certain time or day.

Take a look at the image below:

Cisco ASA Time Based Access-List

Above we have an inside host (R1) and a HTTP server in the DMZ (R3). Let’s say that our users on the inside should not be able to access this web server during working hours. Here’s what the configuration would look like:

ASA1(config)# clock set 13:55:00 3 December 2014

First I’ll configure the clock, next step is to create a time-range:

ASA1(config)# time-range WORK_HOURS   
ASA1(config-time-range)# periodic weekdays 09:00 to 17:00

This time-range called “WORK_HOURS” matches on weekdays and between 09:00 to 17:00.  Now we can create an access-list:

ASA1(config)# access-list INSIDE_INBOUND extended deny tcp any any eq 80 time-range WORK_HOURS
ASA1(config)# access-list INSIDE_INBOUND extended permit ip any any
ASA1(config)# access-group INSIDE_INBOUND in interface inside

The access-list above denies traffic with destination TCP port 80 but only if it’s within our time-range. All other traffic is permitted. Let’s give it a try:

R1#telnet 192.168.3.3 80
Trying 192.168.3.3, 80 ... 
% Connection refused by remote host

I’ll telnet to TCP port 80 from R1 to R3 in the DMZ and it doesn’t work. Here’s what you will see on the ASA:

ASA1# show access-list INSIDE_INBOUND
access-list INSIDE_INBOUND; 2 elements; name hash: 0x1cb98eea
access-list INSIDE_INBOUND line 1 extended deny tcp any any eq www time-range WORK_HOURS (hitcnt=3) 0xfc102fc8 
access-list INSIDE_INBOUND line 2 extended permit ip any any (hitcnt=1) 0x38288040

This traffic is denied since it matches our working hours, as a result the traffic has been dropped.

I hope this lesson has been useful, if you have any questions just leave a comment!

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more