On the Cisco ASA firewall, the time-range option specifies a time range object, which determines the days and time of day in the week in which the Access Control Entry (ACE) is active. In a standard ACE, if the time range is not defined, the ACE is always active.
For demonstration purposes testing time-based access control, access to a Linux webserver will be control according to the day of the week.
Configuration
Set the clock on the ASA. For more accurate time, use an NTP server.
clock set 17:00:00 21 July 2022
Define a time-range object for WEEKEND and WEEKDAY.
time-range WEEKENDS periodic weekend 12:00 to 23:59 time-range WEEKDAYS periodic weekdays 08:00 to 20:00
Create a host object to represent the Linux web server.
object network LINUX host 10.50.0.10 nat (INSIDE,OUTSIDE_1) static 5.5.5.10
In the Access Control List (ACL) the time-range object is appended at the end of the ACE. In this example, one rule permits tcp/80 (www) only on the weekends and a second rule permits tcp/22 (ssh) only during the week, all other traffic is denied.
access-list OUTSIDE_IN extended permit tcp any object LINUX eq www time-range WEEKENDS access-list OUTSIDE_IN extended permit tcp any object LINUX eq ssh time-range WEEKDAYS access-list OUTSIDE_IN extended deny ip any any log
Verification
Before testing, confirm the clock on the ASA.
ASA(config)# show clock 17:51:01.999 UTC Thu Jul 21 2022
From a test computer on the outside of the ASA we attempt to connect to the NAT IP address of the Linux web server on tcp port 80 (http). This connection will be denied, as this traffic is only permitted at the weekends. With logging enable we should see the traffic denied.
%ASA-6-106100: access-list OUTSIDE_IN denied tcp OUTSIDE_1/1.1.1.1(58287) -> INSIDE/10.50.0.10(80) hit-cnt 1 first hit [0x2dc51227, 0x0]
Repeat the test but connect to the web server on tcp port 22 (ssh), this connection will be permitted as the time of testing is within the weekday working hours defined in the time-range object.
Run the command show access-list <access-list name>. From the output below note that if the current time is outside of the time range, the ACE (line 5) is inactive, this confirms why tcp/80 traffic was blocked, this traffic will match the deny rule (line 7). SSH traffic on tcp/22 matches the correct rule (line 6).
ASA# show access-list OUTSIDE_IN access-list OUTSIDE_IN; 7 elements; name hash: 0xe01d8199 access-list OUTSIDE_IN line 1 extended permit icmp any any echo (hitcnt=0) 0x869bdf05 access-list OUTSIDE_IN line 2 extended permit icmp any any echo-reply (hitcnt=0) 0xc857b49e access-list OUTSIDE_IN line 3 extended permit icmp any any unreachable (hitcnt=0) 0xec6c9a23 access-list OUTSIDE_IN line 4 extended permit icmp any any time-exceeded (hitcnt=0) 0x00c3b80d access-list OUTSIDE_IN line 5 extended permit tcp any object LINUX eq www time-range WEEKENDS (hitcnt=0) (inactive) 0xebc099c8 access-list OUTSIDE_IN line 5 extended permit tcp any host 10.50.0.10 eq www time-range WEEKENDS (hitcnt=0) (inactive) 0xebc099c8 access-list OUTSIDE_IN line 6 extended permit tcp any object LINUX eq ssh time-range WEEKDAYS (hitcnt=2) 0x53c23a33 access-list OUTSIDE_IN line 6 extended permit tcp any host 10.50.0.10 eq ssh time-range WEEKDAYS (hitcnt=2) 0x53c23a33 access-list OUTSIDE_IN line 7 extended deny ip any any log informational interval 300 (hitcnt=14) 0x2dc51227