From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun May 29 2005 - 16:00:06 GMT-3
Chad,
The way I read your config's, when the time range is active, incoming www
traffic is allowed. And, only ICMP traffic is allowed at all times.
I think the problem is your testing is NOT legit.
I believe but I'm not 100% sure, when you telnet to port 80, you're still
telneting but now using a non-standard dest port.
If you haven't changed the standard telnet port on the dest device to 80,
the dest will be very confused and won't know what to do.
I can think of a couple things you can do to better this config:
1. Enable http on the dest device and then use a browser to connect to it.
2. Change the telnet port the dest device listens to to 80.
3. Instead of applying your time range to www, apply it to telnet traffic.
If that works as expected, then change it back to www.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Chad
Hintz
Sent: Sunday, May 29, 2005 2:31 PM
To: Chad Hintz; ccie lab
Subject: Re: Clarification on time range acl
Sorry let me revise this, I am permitting www traffic during those hrs but
after applied still can not connect. Here are my configs
R1
interface FastEthernet0/0
ip address 170.89.18.1 255.255.255.0
ip access-group 103 out
speed 100
full-duplex
end
access-list 103 permit tcp any any eq www time-range http
access-list 103 permit icmp any any
time-range http
periodic weekdays 8:00 to 18:00
R1#sh clock
13:29:19.126 EDT Mon May 30 2005
BB1's fa0/0
ip address 170.89.18.254 255.255.255.0
also ip telnet source-interface fa0/0
R2
int fa0/0
ip address 189.18.23.2 255.255.255.0
when applied in active state I cannot telnet on port 80 from bb1:
FRSW-BB2-BB1#telnet 189.18.23.2 80
Trying 189.18.23.2, 80 ...
% Connection timed out; remote host not responding
But I can ping with the additonal line in the acl
FRSW-BB2-BB1#ping 189.18.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 189.18.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Chad
Chad Hintz <ccie_2b2004@yahoo.com> wrote:
Hi all,
My lab setup for this scenrio is bb1-ethernet-r1-frame-r2-e0/0(189.18.23.2).
If I want to not allow http traffic outbound of r1 during the weekdays
between 8am and 6pm.(from cisco's example on the doccd)
1.)I created a time-range no-http for 08:00 to 18:00
2.) created an acl-access-list 103 deny tcp any any eq www time-range
no-http
3.) applied it outbound on r1's fa0/0- ip access-group 103 out
I see that it is active when I look at the sh ip access-list output and I
can not telnet on port 80(sourced from the correct interface on bb1), when I
change the clock in r1 to be a weekend day the state changes to inactive but
I still cannot telnet on port 80.
So my question is do I have to have a permit for each deny after the time
range acl?
I put a permit tcp any any eq www and when the time-range acl is inactive I
still cannot telnet on port 80 to 189.18.23.2 from bb1. Only when I unapply
the acl am I allowed to telnet on port 80.
I guess I am confused about the whole concept, I thought that with it being
inactive I should be able to use http and any other protocol and during
active I would not be able to use http or any other protocol unless I
permitted it lower in the acl.
Thanks in advance,
Chad
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3