Time-based ACL on ASA firewall

I had a request to limit the bandwidth of some hosts in a LAN only on the business hours. Not knowing that time-based ACLs are supported I decided to do that without the time component on the local ASA 5510 firewall located at the border of the network. After doing that something caught my eye browsing trough the ASDM:

The "Time ranges" object. This has a very flexible definition: it has 2 layers; the first layer defines the start time and the end time (for example: the time range of the second layer will begin on 03.03.2008, 2100 hours and end on 05.03.2008, 0800 hours); the second second layer is weekly-based - eighter select the days of the week with a hourly interval or select a weekly interval when this range will be active.

For example, if you want to define the range of working hours (9:00 to 17:00) you can do it like this:

time-range working_hours
periodic weekdays 9:00 to 17:00

Now back to the starting case, limiting some hosts during business hours:

  • define the time range - done above;
  • define a ACL with the IPs of the hosts, for example:
access-list limit extended permit ip host any time-range working_hours
access-list limit extended permit ip any host time-range working_hours

  • make a class-map:
class-map class
match access-list limit

  • write a policy-map for policing at 2Mbps (in this example):
policy-map outside-policy
class class
police input 2000000 16000
police output 2000000 16000
service-policy outside-policy interface outside

Or you can do it with ASDM :D


1 Response to " Time-based ACL on ASA firewall "

Anonymous said... July 19, 2013 at 12:52 PM

Exactly what I was looking for...many thanks for this! Chris

Post a Comment

Follow by Email

Sponsored Links