cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
4
Helpful
3
Replies

Time Based Access List

umeshgurav
Level 1
Level 1

Dear All

I have a lease line as primary and Vsat as backup link to a remote branch,with the lan ip range 130.12.1.101. We have internet access to the remote user via proxy .I want to restrict a block of host to access the internet at particular time .These host shud be able to access internet everyday between 8.00 am to 10.00 am in morning and 18.00 to 20.00 hrs in teh evening .

Kindly help me to configure this.

Regards

Umesh

3 Replies 3

Goutam Sanyal
Level 4
Level 4

Hi Umesh,

Please do the following:-

login to router-> conf t->

#time-range [name_locally]

#periodic daily [start_time] to [end_time]

#periodic daily [start_time] to [end_time]

Access-list configuration

#ip access-list extended [name_of _access-list]

#permit tcp [your_required_network] [netmusk] [proxy_ip_address] time-range [name_locally]

Apply it to the required interface.

For PIX, do the following:

#time-range entry: [name_time_range] (active)

periodic daily 10:30 to 11:00

periodic daily 13:00 to 14:00

periodic daily 17:00 to 18:00

#access-list acl_in line 77 extended permit ip host [proxy_ip_address] any time-range

#access-list acl_in line 77 extended permit ip host [proxy_ip_address] any time-range [name_time_range]

Thanks

Goutam [pls rate if it works]

umeshgurav
Level 1
Level 1

time-range internet

periodic weekdays 9:00 to 18:00

ip access-list extended strict

deny tcp any host 172.16.0.1 time-range internet

interface FastEthernet0/0

ip access-group strict in

Above is the router configurations but the access list says inactive.

Please help

Dear Umesh,

Please inform that whether are you using any NTP clock source? If yes, then pls confirm that your router is properly connected with NTP server / source. Else it will not work properly.

If the router is using local time then it will active as per the mentioned time, otherwise it will show inactive.

Also please try the following:

1.deny tcp any host 172.16.0.1 [port_number_for_your_proxy] time-range internet

2.int serial [interface number]

3.ip access-group strict out

[Your mail has been replied with the same]

Thanks

Goutam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco