From: Chad Hintz (ccie_2b2004@yahoo.com)
Date: Sun May 29 2005 - 15:07:03 GMT-3
Hi all,
My lab setup for this scenrio is bb1-ethernet-r1-frame-r2-e0/0(189.18.23.2). If I want to not allow http traffic outbound of r1 during the weekdays between 8am and 6pm.(from cisco's example on the doccd)
1.)I created a time-range no-http for 08:00 to 18:00
2.) created an acl-access-list 103 deny tcp any any eq www time-range no-http
3.) applied it outbound on r1's fa0/0- ip access-group 103 out
I see that it is active when I look at the sh ip access-list output and I can not telnet on port 80(sourced from the correct interface on bb1), when I change the clock in r1 to be a weekend day the state changes to inactive but I still cannot telnet on port 80.
So my question is do I have to have a permit for each deny after the time range acl?
I put a permit tcp any any eq www and when the time-range acl is inactive I still cannot telnet on port 80 to 189.18.23.2 from bb1. Only when I unapply the acl am I allowed to telnet on port 80.
I guess I am confused about the whole concept, I thought that with it being inactive I should be able to use http and any other protocol and during active I would not be able to use http or any other protocol unless I permitted it lower in the acl.
Thanks in advance,
Chad
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3