In Cisco Adaptive Security Appliance (ASA) versions prior to 9.7, implementing time-based Access Control Lists (ACLs) required the use of time range objects with specific commands to enforce periodic traffic access. While this method was effective, Cisco has introduced more streamlined approaches post-ASA 9.7 to simplify time-based access control configuration and ensure better traffic handling while maintaining security and flexibility.
In this blog, we'll explore how the implementation of time-based ACLs in Cisco ASA has evolved, focusing on the current best practices and methods introduced post-9.7, including improved syntax, enhanced features, and the considerations required for exempting certain devices (such as an admin workstation) from these policies.
### What’s New in ASA Post-9.7?
After ASA 9.7, Cisco introduced several enhancements that simplify and optimize ACL management, particularly with regard to time-based configurations. Key improvements include:
1. **Simplified Time-Based ACL Syntax**: The command structure has been streamlined to make configuration more intuitive.
2. **Enhanced Time Range Objects**: Time range objects now support better control, allowing easier management of periodic traffic access.
3. **FQDN Filtering**: The ability to use fully qualified domain names (FQDNs) in ACLs adds flexibility in defining source and destination addresses.
4. **Exempting Hosts (e.g., Admin Workstation)**: Granular rules can now easily exempt critical workstations or hosts from ACL policies without the need for complex workarounds.
### Steps to Configure Time-Based ACLs in ASA Post-9.7
Let’s walk through the process of configuring time-based ACLs using these modern methods.
#### 1. Define the Time Range Object
The first step in setting up a time-based ACL is to define the time range during which traffic will be allowed. In ASA post-9.7, this is done using the `time-range` command with enhanced flexibility for periodic schedules.
**Example: Creating a Time Range Object**
time-range WORK_HOURS
periodic weekdays 08:00 to 18:00
In this example, we define a time range object named `WORK_HOURS` which allows traffic on weekdays from 8:00 AM to 6:00 PM.
#### 2. Create the Access List (ACL)
After defining the time range, the next step is to create an ACL that allows or denies traffic based on this time range.
**Example: Creating an ACL**
access-list OUTSIDE_IN extended permit tcp any host 192.168.1.100 eq 80 time-range WORK_HOURS
This rule permits TCP traffic from any source to the host `192.168.1.100` (a web server) on port 80, but only during the `WORK_HOURS` time range defined earlier.
#### 3. Exempting the Admin Workstation
The requirement is that the admin workstation should not be restricted by this policy. To achieve this, we can simply add a rule at the beginning of the ACL that permits the admin workstation to bypass the time-based restriction.
**Example: Exempting an Admin Workstation**
access-list OUTSIDE_IN extended permit ip host 10.1.1.50 any
In this case, the IP address `10.1.1.50` represents the admin workstation. This rule ensures that all traffic from this specific IP is allowed unconditionally, regardless of the time range object applied to other hosts. Since ACLs are processed in sequential order, placing this rule first ensures that the admin workstation traffic is matched and permitted before the time-based rule is evaluated.
#### 4. Applying the ACL to an Interface
Once the ACL is defined, it must be applied to an interface for it to take effect. This is done using the `access-group` command.
**Example: Applying the ACL**
access-group OUTSIDE_IN in interface outside
This command applies the `OUTSIDE_IN` ACL to the external interface of the ASA, ensuring that the rules defined in the ACL will be enforced on incoming traffic.
### Advanced Options for Time-Based ACLs
Post-ASA 9.7, Cisco also introduced several other advanced options that you can leverage for even greater control over time-based ACLs:
1. **Absolute Time Range**: Instead of periodic schedules, you can define a specific start and end time for traffic access. This is useful for temporary or one-off policies.
time-range MAINTENANCE
absolute start 08:00 10/25/2024 end 18:00 10/25/2024
2. **Combining Time Ranges**: You can use multiple time ranges to apply more granular controls. For example, you could define a set of time ranges for weekdays and another for weekends.
3. **FQDN ACLs**: Instead of relying solely on IP addresses, you can now use FQDNs for more dynamic filtering based on domain names, which can be tied to time-based ACLs.
### Conclusion
With the release of ASA 9.7 and later, Cisco has made it significantly easier to implement and manage time-based ACLs. The improved syntax, enhanced time range objects, and additional features like FQDN filtering provide administrators with more powerful tools to fine-tune their security policies.
In addition, the ability to easily exempt critical hosts such as admin workstations ensures that while traffic control is enforced, essential operations remain uninterrupted. By utilizing these new features, you can ensure both security and flexibility within your network environment, allowing for controlled access without compromising key functionalities.
These updates provide a more efficient and intuitive way to manage ACLs, making it easier than ever to configure time-based access in a Cisco ASA environment.
