cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

372
Views
0
Helpful
1
Replies
ob123
Beginner

Time Based ACL - Not working as planned (opposite behaviour) (ASA5515)

Hello All

 

Struggling with this one hence looking for some help. I'm looking to allow Internet access to my Teens VLAN32 during an active time range which I have setup. However on the ACL seems to work in the opposite way. It shuts down Internet during the time range and allow internet outside the active time range.  (I hope that kinda making sense). This is clearly my misunderstanding on Time Ranges and/or how to apply them correctly.

 

Here's the config 

 

ASA Version 9.1(2)

time-range TestVLAN32

periodic daily 6:00 to 22:30

!

object network VLAN32

subnet 192.168.32.0 255.255.255.0

description VLAN 32 Teens

 

access-list outside_access_in extended permit icmp any any

access-list inside_1_access_in extended deny ip object VLAN32 any time-range TestVLAN32

access-list inside_1_access_in remark Inside access in allow Domain services to vaild DNS servers

access-list inside_1_access_in extended permit object-group TCPUDP any object-group DNS-Servers eq domain

access-list inside_1_access_in extended deny object-group TCPUDP any any eq domain

access-list inside_1_access_in extended permit ip any any

 

Many thanks Jason 

 

1 ACCEPTED SOLUTION

Accepted Solutions
ob123
Beginner

sorted... I needed a second ACL to deny all

 

so traffic allowed during the active time range... (for VLAN20) and deny any.... i guess the packets are checked and if they meet the 1st line it stops, and allow the traffic (permit). If the packet fails to meet the 1st Line the second line i.e its outside the active time frame it Denys as its outside the active time. 

 

access-list inside_1_access_in extended permit tcp object VLAN20 any time-range Teens 
access-list inside_1_access_in extended deny tcp object VLAN20 any 

 

View solution in original post

1 REPLY 1
ob123
Beginner

sorted... I needed a second ACL to deny all

 

so traffic allowed during the active time range... (for VLAN20) and deny any.... i guess the packets are checked and if they meet the 1st line it stops, and allow the traffic (permit). If the packet fails to meet the 1st Line the second line i.e its outside the active time frame it Denys as its outside the active time. 

 

access-list inside_1_access_in extended permit tcp object VLAN20 any time-range Teens 
access-list inside_1_access_in extended deny tcp object VLAN20 any 

 

View solution in original post

Content for Community-Ad