Time Based Access List

Unanswered Question
Jul 16th, 2008

Dear All

I have a lease line as primary and Vsat as backup link to a remote branch,with the lan ip range 130.12.1.101. We have internet access to the remote user via proxy .I want to restrict a block of host to access the internet at particular time .These host shud be able to access internet everyday between 8.00 am to 10.00 am in morning and 18.00 to 20.00 hrs in teh evening .

Kindly help me to configure this.

Regards

Umesh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Goutam Sanyal Wed, 07/16/2008 - 21:37

Hi Umesh,

Please do the following:-

login to router-> conf t->

#time-range [name_locally]

#periodic daily [start_time] to [end_time]

#periodic daily [start_time] to [end_time]

Access-list configuration

#ip access-list extended [name_of _access-list]

#permit tcp [your_required_network] [netmusk] [proxy_ip_address] time-range [name_locally]

Apply it to the required interface.

For PIX, do the following:

#time-range entry: [name_time_range] (active)

periodic daily 10:30 to 11:00

periodic daily 13:00 to 14:00

periodic daily 17:00 to 18:00

#access-list acl_in line 77 extended permit ip host [proxy_ip_address] any time-range

#access-list acl_in line 77 extended permit ip host [proxy_ip_address] any time-range [name_time_range]

Thanks

Goutam [pls rate if it works]

umeshgurav Wed, 07/23/2008 - 20:51

time-range internet

periodic weekdays 9:00 to 18:00

ip access-list extended strict

deny tcp any host 172.16.0.1 time-range internet

interface FastEthernet0/0

ip access-group strict in

Above is the router configurations but the access list says inactive.

Please help

Goutam Sanyal Wed, 07/23/2008 - 22:05

Dear Umesh,

Please inform that whether are you using any NTP clock source? If yes, then pls confirm that your router is properly connected with NTP server / source. Else it will not work properly.

If the router is using local time then it will active as per the mentioned time, otherwise it will show inactive.

Also please try the following:

1.deny tcp any host 172.16.0.1 [port_number_for_your_proxy] time-range internet

2.int serial [interface number]

3.ip access-group strict out

[Your mail has been replied with the same]

Thanks

Goutam

Actions

This Discussion