chenzovicc
asked on
How to block an interface on a schedule
Hi Experts,
I am trying to configure an schedule time on the weekends to block my INTERNET interface at certain hours.
I configured it this way but it doesn't work:
time-range BLOCK-Internet
absolute end 18:30 27 April 2014
periodic Saturday 18:27 to 18:30
access-list outside_access_out line 1 extended deny ip 10.0.0.0 255.255.255.0 interface outside time-range BLOCK-Internet
access-group outside_access_out out interface outside.
My internet interface is define as outside.
The firewall is CISCO ASA 5505 VER 8.4.
Please advise
I am trying to configure an schedule time on the weekends to block my INTERNET interface at certain hours.
I configured it this way but it doesn't work:
time-range BLOCK-Internet
absolute end 18:30 27 April 2014
periodic Saturday 18:27 to 18:30
access-list outside_access_out line 1 extended deny ip 10.0.0.0 255.255.255.0 interface outside time-range BLOCK-Internet
access-group outside_access_out out interface outside.
My internet interface is define as outside.
The firewall is CISCO ASA 5505 VER 8.4.
Please advise
ASKER
I implemented the change but I noticed that will block permanently from the moment I configure the rule.
I would like to implement to block the outside interface on Saturdays and Sundays from 11:00pm to 6:00am the whole year 2014
Please advise
I would like to implement to block the outside interface on Saturdays and Sundays from 11:00pm to 6:00am the whole year 2014
Please advise
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will apply it tomorrow and give you a feedback.
Thanks
Thanks
ASKER
Thanks for the info and the link you provided.
You're welcome.
All the best
All the best
absolute end 18:30 27 April 2014
The absence of "absolute start" means the policy goes into effect immediately, while the absence of an absolute end means the policy stays unless cancelled.
If the time on your ASA is accurate, then absoute end year of 2014 means the policy should cease to apply by 6:30pm April 27 of 2014. We're now in August 2014 meaning that policy has long expired and has no effect.
Also, in that policy, you're only blocking 3 minutes on Saturdays (6:27pm to 6:30pm).
Lastly, you're applying the policy to outbound traffic on the outside interface. The private IPs would have been translated (NAT'd) meaning you will not see traffic matching 10.x.x.x there. You should consider applying the acl to the INBOUND taffic on the INSIDE Interface instead