From: Chad Hintz (ccie_2b2004@yahoo.com)
Date: Sun May 29 2005 - 16:41:49 GMT-3
Tim,
Thanks! I actaully looked at the config on cisco's website again and they are applying it inbound on the ethernet interface. I switched R1 to apply the acl inbound and added 2 more lines to it access-list 103 deny tcp any any eq ww and access-list 103 permit ip any any. And it seems to work fine. But just for clarification of my understanding if I allow (permit) traffic I then have to deny it and allow the rest of the traffic through, then during active time it will be allowed through but not any other time and I do not lose connection to anything else(routing updates and what not). If I deny in the time based acl I must then permit that traffic and everything else next in my acl and during time of active that traffic will be denied and allowed any other time?
Thanks again,
Chad
ccie2be <ccie2be@nyc.rr.com> wrote:
Chad,
The way I read your config's, when the time range is active, incoming www
traffic is allowed. And, only ICMP traffic is allowed at all times.
I think the problem is your testing is NOT legit.
I believe but I'm not 100% sure, when you telnet to port 80, you're still
telneting but now using a non-standard dest port.
If you haven't changed the standard telnet port on the dest device to 80,
the dest will be very confused and won't know what to do.
I can think of a couple things you can do to better this config:
1. Enable http on the dest device and then use a browser to connect to it.
2. Change the telnet port the dest device listens to to 80.
3. Instead of applying your time range to www, apply it to telnet traffic.
If that works as expected, then change it back to www.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Chad
Hintz
Sent: Sunday, May 29, 2005 2:31 PM
To: Chad Hintz; ccie lab
Subject: Re: Clarification on time range acl
Sorry let me revise this, I am permitting www traffic during those hrs but
after applied still can not connect. Here are my configs
R1
interface FastEthernet0/0
ip address 170.89.18.1 255.255.255.0
ip access-group 103 out
speed 100
full-duplex
end
access-list 103 permit tcp any any eq www time-range http
access-list 103 permit icmp any any
time-range http
periodic weekdays 8:00 to 18:00
R1#sh clock
13:29:19.126 EDT Mon May 30 2005
BB1's fa0/0
ip address 170.89.18.254 255.255.255.0
also ip telnet source-interface fa0/0
R2
int fa0/0
ip address 189.18.23.2 255.255.255.0
when applied in active state I cannot telnet on port 80 from bb1:
FRSW-BB2-BB1#telnet 189.18.23.2 80
Trying 189.18.23.2, 80 ...
% Connection timed out; remote host not responding
But I can ping with the additonal line in the acl
FRSW-BB2-BB1#ping 189.18.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 189.18.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Chad
Chad Hintz wrote:
Hi all,
My lab setup for this scenrio is bb1-ethernet-r1-frame-r2-e0/0(189.18.23.2).
If I want to not allow http traffic outbound of r1 during the weekdays
between 8am and 6pm.(from cisco's example on the doccd)
1.)I created a time-range no-http for 08:00 to 18:00
2.) created an acl-access-list 103 deny tcp any any eq www time-range
no-http
3.) applied it outbound on r1's fa0/0- ip access-group 103 out
I see that it is active when I look at the sh ip access-list output and I
can not telnet on port 80(sourced from the correct interface on bb1), when I
change the clock in r1 to be a weekend day the state changes to inactive but
I still cannot telnet on port 80.
So my question is do I have to have a permit for each deny after the time
range acl?
I put a permit tcp any any eq www and when the time-range acl is inactive I
still cannot telnet on port 80 to 189.18.23.2 from bb1. Only when I unapply
the acl am I allowed to telnet on port 80.
I guess I am confused about the whole concept, I thought that with it being
inactive I should be able to use http and any other protocol and during
active I would not be able to use http or any other protocol unless I
permitted it lower in the acl.
Thanks in advance,
Chad
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3