Re: Clarification on time range acl

From: Chad Hintz (ccie_2b2004@yahoo.com)
Date: Sun May 29 2005 - 15:31:21 GMT-3

• Next message: thomas.rader@freesurf.ch: "NTP question"
• Previous message: Chad Hintz: "Clarification on time range acl"
• Maybe in reply to: Chad Hintz: "Clarification on time range acl"
• Next in thread: ccie2be: "RE: Clarification on time range acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry let me revise this, I am permitting www traffic during those hrs but after applied still can not connect. Here are my configs
R1
interface FastEthernet0/0
 ip address 170.89.18.1 255.255.255.0
 ip access-group 103 out
 speed 100
 full-duplex
end
access-list 103 permit tcp any any eq www time-range http
access-list 103 permit icmp any any
time-range http
 periodic weekdays 8:00 to 18:00
R1#sh clock
13:29:19.126 EDT Mon May 30 2005
 
BB1's fa0/0
ip address 170.89.18.254 255.255.255.0
also ip telnet source-interface fa0/0
 
R2
int fa0/0
ip address 189.18.23.2 255.255.255.0
 
 
when applied in active state I cannot telnet on port 80 from bb1:
FRSW-BB2-BB1#telnet 189.18.23.2 80
Trying 189.18.23.2, 80 ...
% Connection timed out; remote host not responding
But I can ping with the additonal line in the acl

FRSW-BB2-BB1#ping 189.18.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 189.18.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
 
 
Chad

Chad Hintz <ccie_2b2004@yahoo.com> wrote:
Hi all,

My lab setup for this scenrio is bb1-ethernet-r1-frame-r2-e0/0(189.18.23.2). If I want to not allow http traffic outbound of r1 during the weekdays between 8am and 6pm.(from cisco's example on the doccd)

1.)I created a time-range no-http for 08:00 to 18:00
2.) created an acl-access-list 103 deny tcp any any eq www time-range no-http
3.) applied it outbound on r1's fa0/0- ip access-group 103 out

I see that it is active when I look at the sh ip access-list output and I can not telnet on port 80(sourced from the correct interface on bb1), when I change the clock in r1 to be a weekend day the state changes to inactive but I still cannot telnet on port 80.

So my question is do I have to have a permit for each deny after the time range acl?

I put a permit tcp any any eq www and when the time-range acl is inactive I still cannot telnet on port 80 to 189.18.23.2 from bb1. Only when I unapply the acl am I allowed to telnet on port 80.

I guess I am confused about the whole concept, I thought that with it being inactive I should be able to use http and any other protocol and during active I would not be able to use http or any other protocol unless I permitted it lower in the acl.

Thanks in advance,

Chad

• Next message: thomas.rader@freesurf.ch: "NTP question"
• Previous message: Chad Hintz: "Clarification on time range acl"
• Maybe in reply to: Chad Hintz: "Clarification on time range acl"
• Next in thread: ccie2be: "RE: Clarification on time range acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3