Access-List

Access-List

The implementation of access-list is same as before on the PIX firewall, with some additional features that are discussed in the sections that follow.

time-range Keyword

The time-range keyword provides a way for the Network Security Manager to specify a time interval when connectivity to the specified destinations is permitted or denied. Multiple time ranges can be defined. The command allows easy and routine control of traffic connectivity through the firewall device.

The time-range keyword is used to control the execution of various features in the PIX/ASA. The time-range feature is available in access control and VPN access hours (an attribute of group policy).

First, define a period of timestart/stop, certain days, and so on, that can be evaluated to a true/false condition when compared to the current appliance time.

Then, place the keyword qualifier Time-Range with the name as one of the last parameters on an access-list statement that describes the connectivity path.

The Time-Range keyword, when applied on an access-list statement, identifies a statement that is applied only when the current time of the security appliance clock is in the time period specified by the command (a true condition). Example 3-3 shows how to configure the time-range option.

Example 3-3. Using the time-range Command

! Choose a time-range name: PIX(config)# time-range ? WORD < 64 char Time range name PIX(config)# time-range sevt PIX(config-time-range)# ? ! More than one periodic entry can be defined. Decide how to specify the time period: PIX(config-time-range)# ? Time range configuration commands: absolute absolute time and date (one per time-range) exit Exit from time-range configuration mode help Help for time-range configuration commands no Negate a command or set its defaults periodic periodic time and date (multiple are permitted) ! More than one TIME-RANGE entry can be made Absolute Time Start and End, or just start ! with no end, . . . or end with no start (immediate start) PIX(config-time-range)# absolute ? end ending time and date start starting time and date PIX(config-time-range)# periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday ! And finally a configuration . . . time-range BusinessHours absolute start 10 periodic weekdays 7 . . . access-list outside_mpc_in remark Only WWW traffic goes to DMZ access-list outside_mpc_in extended permit tcp any 1.1.1.0 255.255.255.0 eq www time-range BusinessHours . . . ! "show time-range", "show clock" and "show access-list" are useful debugging commands ! when trying to determine if a time-range or ACE is active at the current time. e.g ! (note the inactive label in the ace below): PIX# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACL1; 2 elements access-list ACL1 line 1 extended permit ip any any time-range TR1 (hitcnt=0) (inactive) access-list ACL1 line 2 extended deny ip any any (hitcnt=0) PIX#

Enable/Disable

Access Control Lists (ACLs) are common traffic control commands. PIX OS 7.0 provides more control, especially in troubleshooting, by providing an easy way to "turn on" or "turn off" the processing of a specific access policy (access-list entry). This aids greatly in troubleshooting.

The keyword INACTIVE is applied at the end of an access-list entry to remove it from processing.

The command syntax for applying the access-list is as follows:

[View full width]
access-list outside_access_in extended permit tcp any object-group mail-servers eq smtp
inactive

There are no debug commands, output, logging outputs, caveats, or limitations specifically related to this keyword. Debug information comes from the access-list command features.