[c-nsp] ASA v8 , VPN, and time-range access-lists

Ryan West rwest at zyedge.com
Tue Jul 28 09:59:50 EDT 2009


William,

This was discussed another list as well, but it seems the router time-based ACLs are absolute and that the ASA waits for active sessions to time out at least when used with vpn-filter.  I believe the vpn-filter is only called once when the user first connects, if you have to make changes to that ACL, it requires a user re-auth.  It would be nice if something like kron existed for the ASA, you could just force a re-auth at 5:00PM.  Have you looked at using 'vpn-access-hours' under the group-policy?

I noticed John mentioned using Radius for the access-hours, but I've been using LDAP a lot of authorization, although I guess that function of Radius would be under authentication.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of William
Sent: Tuesday, July 28, 2009 9:00 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA v8 , VPN, and time-range access-lists

Hi chaps,

I want to have my VPN Client users bound to time ranges so they can
only connect during a certain period of time on week days.Typically my
remote guys will connect at the start of the day and stay connected
till the very end of it or not disconnect at all.

I've been experimenting with access-hours settings on the group policy
and time-range access lists, from what I have worked out if a user is
connected before the access-hours kicks in (i.e. when they aren't
allowed to connect) they will remain connected until they disconnect
by hand or if I boot them off manually.

I decided to try out the time range access-lists on the outside
interface to block their connection attempts once they have logged in
via VPN and start up their application, this seems to work for when
I've connected out of the allowed time but if I am connected before
the time-range kicks in my connection stays active (I was running a
simple ping -t host). Although I did notice after a certain period of
time (around 30 minutes) my ping's stopped replying and the
access-list worked.

Am I doing something wrong hence why the time range access-lists
aren't working properly? The time on the FW is always correct and
sync'd to NTP and I'd appreciate any help!

Cheers,

W
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list