ACL with time-range not working

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2016 08:03 PM - edited 03-08-2019 07:10 AM
I want to block Internet access specifically ports 80 and 443 for a specific IP address during specific hours.
I was also trying to test the ACL by adding additional deny statements - possibly this is causing the issue - don't know.
Here is the relevant parts of the config
interface Vlan1
ip address 10.1.2.254 255.255.255.0
ip access-group SchoolHours in
ip nat inside
ip virtual-reassembly in
ip access-list extended SchoolHours
deny tcp host 10.1.2.65 eq www any time-range schoolHours
deny tcp host 10.1.2.65 eq 443 any time-range schoolHours
deny tcp host 10.1.2.83 eq www any
deny tcp host 10.1.2.84 eq www any
deny tcp host 10.1.2.84 eq 443 any
deny tcp host 10.1.2.83 eq 443 any
permit ip any any
time-range schoolHours
periodic weekdays 8:00 to 15:30
My laptop has address 10.1.2.84 but I am still able to browse the internet
Do I need to set up inspection of tcp traffic before this will work ?
Any suggestion most welcomed
Thanks
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2016 11:41 PM
You specified the ports 80 and 443 as source-ports, but you have to specify them as destination ports to make them work. Its's the server that uses (listens on) these ports:
ip access-list extended SchoolHours
deny tcp host 10.1.2.65 any eq www time-range schoolHours
deny tcp host 10.1.2.65 any eq 443 time-range schoolHours
deny tcp host 10.1.2.83 any eq www
deny tcp host 10.1.2.84 any eq www
deny tcp host 10.1.2.84 any eq 443
deny tcp host 10.1.2.83 any eq 443
permit ip any any
