Restricting DMZ server access with time based ACL on ASA
One of the features of Access Control Lists on Cisco ASA firewalls (available also in IOS routers), is that you can schedule when a particular ACL entry is activated. That is, a specific access-list statement will remain disabled until a specific time range is reached. This is useful in cases where you want to allow traffic access to certain servers for specific time periods. Let us see the example below where we allow access to a DMZ FTP server during only working hours (weekdays 9am to 5pm).
To configure the time range follow the steps below:
ASA(config)# time-range name
ASA(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time
ASA(config)# time-range name
ASA(config-time-range)# periodic days-of-the-week time to [days-of-the-week] time
The parameter “days-of-the-week” can take the following values:
monday, tuesday, wednesday, thursday, friday, saturday, sunday
weekdays
daily
weekend
monday, tuesday, wednesday, thursday, friday, saturday, sunday
weekdays
daily
weekend
The configuration is as follows:
ASA(config)# time-range working-hours
ASA(config-time-range)# periodic weekdays 9:00 to 17:00
ASA(config)# access-list FTP-ACCESS extended permit tcp any host 199.1.1.1 eq ftp time-range working-hours
ASA(config)# access-group FTP-ACCESS in interface outside
ASA(config)# static (DMZ,outside) 199.1.1.1 10.0.0.1 netmask 255.255.255.255
Source :- Networkestrning.com
ASA(config-time-range)# periodic weekdays 9:00 to 17:00
ASA(config)# access-list FTP-ACCESS extended permit tcp any host 199.1.1.1 eq ftp time-range working-hours
ASA(config)# access-group FTP-ACCESS in interface outside
ASA(config)# static (DMZ,outside) 199.1.1.1 10.0.0.1 netmask 255.255.255.255
Source :- Networkestrning.com
No comments:
Post a Comment