[c-nsp] ASA v8 , VPN, and time-range access-lists

William willay at gmail.com
Tue Jul 28 09:00:26 EDT 2009


Hi chaps,

I want to have my VPN Client users bound to time ranges so they can
only connect during a certain period of time on week days.Typically my
remote guys will connect at the start of the day and stay connected
till the very end of it or not disconnect at all.

I've been experimenting with access-hours settings on the group policy
and time-range access lists, from what I have worked out if a user is
connected before the access-hours kicks in (i.e. when they aren't
allowed to connect) they will remain connected until they disconnect
by hand or if I boot them off manually.

I decided to try out the time range access-lists on the outside
interface to block their connection attempts once they have logged in
via VPN and start up their application, this seems to work for when
I've connected out of the allowed time but if I am connected before
the time-range kicks in my connection stays active (I was running a
simple ping -t host). Although I did notice after a certain period of
time (around 30 minutes) my ping's stopped replying and the
access-list worked.

Am I doing something wrong hence why the time range access-lists
aren't working properly? The time on the FW is always correct and
sync'd to NTP and I'd appreciate any help!

Cheers,

W


More information about the cisco-nsp mailing list