Solved: Time-Based Access Lists Using Time Ranges

Arup Dutta · ‎01-05-2011

Hi Expert ,

I have one 2621 router i want to creat time base access list so that one of my subnet user(10.128.194.0 255.255.255.128) use only internet between 11am to 2pm.

please give me your expensive knowladge so i can configure it.

Regards,

Arup

cadet alain · ‎01-06-2011

Hi,

Can you try this

time-range NO_INTERNET
periodic daily 11:00 to 13:00

no access-list 7

ip access-list extended NAT
deny ip 10.128.194.0 0.0.0.127 any time-range NO_INTERNET
permit ip host 10.128.193.79 any
permit ip host 10.128.192.219 any
permit ip host 10.128.192.238 any
permit ip host 10.128.192.253 any
permit ip host 10.128.192.244 any
permit ip 10.128.193.192 0.0.0.63 any
permit ip 10.128.192.0 0.0.0.127 any
permit ip 10.128.194.0 0.0.0.127 any

exit

route-map NAT
match ip address NAT
exit
no ip nat inside source list 7 interface GigabitEthernet0/0
ip nat inside source route-map NAT interface Gig0/0

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

mrdogantr · ‎01-05-2011

The following example uses a time-range to deny HTTP traffic on Monday through Friday between the hours of 8:00 am and 6:00 pm:

time-range no-http

 periodic weekdays 8:00 to 18:00

access-list 101 deny tcp 10.128.194.0 0.0.0.127 any eq http time-range no-http

interface ethernet 0

 ip access-group 101 in

for more information;

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html

hth

Muammer

Arup Dutta · ‎01-05-2011

Hi ,

Thank you for your quick reply but i want permit HTTP trafic between

11am to 1.30 pm for this perticulat subnet 10.128.194.0 0.0.0.127 .

please help me.

Arup

On Wed, Jan 5, 2011 at 5:33 PM, mrdogantr <

Arup Dutta · ‎01-05-2011

Hi ,

Thank you for your quick reply but i want permit HTTP trafic between

11am to 1.30 pm for this perticulat subnet 10.128.194.0 0.0.0.127 .

My router LAN ip is 10.128.195.253 0.0.0.3

I want to block HTTP VLAN network 10.128.194.0 0.0.0.127 (Using time base

access list)

please help me.

Arup

On Wed, Jan 5, 2011 at 5:33 PM, mrdogantr <

cadet alain · ‎01-05-2011

Hi,

but i want permit HTTP trafic

I want to block HTTP

Permit or block??

And what about other traffic?

Regards.

Alain.

Don't forget to rate helpful posts.

Arup Dutta · ‎01-05-2011

Hi,

Hope you are doing well.

Actually i have 14 VLAN configure on 3750E-12s and one router cisco 2621.I

want all user of VLAN 7(10.128.194.0 255.255.255.128) access internet

between 11am to 1pm everyday but other VLAN user access internet all time.

This is my requirement

please share your valuable knowledge.

Arup

On Thu, Jan 6, 2011 at 1:12 PM, cadetalain <

cadet alain · ‎01-06-2011

Hi,

I'm doing fine Thanks, hope you do too.

Are you doing NAT overload on the 2621?

Regards.

Alain.

Don't forget to rate helpful posts.

Arup Dutta · ‎01-06-2011

Hi ,

i have overlod into my router

On Thu, Jan 6, 2011 at 2:37 PM, cadetalain <

cadet alain · ‎01-06-2011

Hi,

ok so post your NAT config- along with corresponding ACl/route-map and I'll give you modified config so this vlan is not natted when doing http

connections.

Regards.

Alain.

Don't forget to rate helpful posts.

Arup Dutta · ‎01-06-2011

Hi,

please find the attachment file.

Regards,

Arup

On Thu, Jan 6, 2011 at 2:59 PM, cadetalain <

cadet alain · ‎01-06-2011

Hi,

Can you try this

time-range NO_INTERNET
periodic daily 11:00 to 13:00

no access-list 7

ip access-list extended NAT
deny ip 10.128.194.0 0.0.0.127 any time-range NO_INTERNET
permit ip host 10.128.193.79 any
permit ip host 10.128.192.219 any
permit ip host 10.128.192.238 any
permit ip host 10.128.192.253 any
permit ip host 10.128.192.244 any
permit ip 10.128.193.192 0.0.0.63 any
permit ip 10.128.192.0 0.0.0.127 any
permit ip 10.128.194.0 0.0.0.127 any

exit

route-map NAT
match ip address NAT
exit
no ip nat inside source list 7 interface GigabitEthernet0/0
ip nat inside source route-map NAT interface Gig0/0

Regards.

Alain.

Don't forget to rate helpful posts.

Arup Dutta · ‎01-06-2011

Hi ,

Thank you for your valuable advice and this application is working .But

i am facing a problem when i delete Time-range then my network is abale to

ping internet(when time-range is not match internet access condition ) and

user can't access internet between the schedule time that i assign into the

time range.

could you tell me please the step one by after when i assign this

1.time-range

2.Access-list

3.NAT

Arup

On Thu, Jan 6, 2011 at 4:15 PM, cadetalain <

cadet alain · ‎01-07-2011

Hi,

It was not so valuable as that I just labbed with the config I gave you and here are the results:

when time-range not matched so you are outside of the hours then first ACE is not matched in ACL and the only match is the implicit deny at the end

but if you enter just after the first ACE: permit ip any then it works outside time-range: it can go outside and in time-range it can't.

Regards.

Alain.

Don't forget to rate helpful posts.

Arup Dutta · ‎01-07-2011

Hi Alien,

Thanks a lot for your support.

time-range NO_INTERNET

periodic daily 00:00 to 10:58

periodic daily 13:00 to 23:58

This time period is configure into my router according to my router

time(router time is exact with IST ).* periodic daily 00:00 to 10:58* after

this time period i am able to access internet after 15 to 17 minute when i

should access internet from 10.59 am.

Please tell me why happen like this !

Regards,

Arup

On Fri, Jan 7, 2011 at 3:00 PM, cadetalain <

cadet alain · ‎01-07-2011

could you clarify please,post config and tell problem.

you should maybe add keyword log to the ACEs concerning your subnet and to an explicit deny at the end.

clear your nat, your ACl counters and then do some ping and post logs along with sh ip nat trans

Regards.

Alain.

Don't forget to rate helpful posts.