Time bound Access-List

tauseef · ‎05-12-2003

Hi

I am looking for configuring time bound access on my Router so that the users from one of the branches do connect to the Central office during certail times , I have below the configuration that I thought would be perfectly fine , but it does not seem to be working as desired , could any one let me know the missing link .

Password:

otisauh#sh conf

Using 1647 out of 8065 bytes

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

enable secret ****

!

clock timezone mideast 4

ip subnet-zero

!

no ip domain-lookup

isdn switch-type basic-net3

!

interface Ethernet0

description Connected to AUHLAN

ip address 131.20.1.200 255.255.0.0

ip access-group 100 in

no ip directed-broadcast

no keepalive

no cdp enable

!

interface BRI0

no ip address

no ip directed-broadcast

encapsulation ppp

dialer rotary-group 1

isdn switch-type basic-net3

no cdp enable

!

interface Dialer0

no ip address

no ip directed-broadcast

no cdp enable

!

interface Dialer1

ip address x.x.x.1 255.255.0.0

no ip directed-broadcast

encapsulation ppp

no ip split-horizon

dialer in-band

dialer map ip x.x.x.2 name 2610 123456

dialer hold-queue 10

dialer-group 1

no cdp enable

ppp authentication chap

!

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.2

access-list 1 permit any

access-list 100 permit ip any host 131.40.1.253

access-list 100 permit ip any host 131.40.1.150

access-list 100 permit ip any host 131.40.1.100

access-list 100 permit ip any host 131.40.1.9

access-list 100 permit ip host 131.20.1.43 any

access-list 100 deny ip any any time-range usage

dialer-list 1 protocol ip list 100

no cdp run

!

line con 0

transport input none

stopbits 1

line vty 0 4

login

!

time-range usage

periodic daily 8:00 to 18:00

!

end

If there is any thing that is totally wrong in the Configuration for time bound access-lists please do let me know , like I said I just need to block access from my branch office to central office at certain time daily like 8.00 to 18.00

daily

Thanking you !

Tauseef

tauseef@cadgulf.com

jasyoung · ‎05-12-2003

I'm not fully sure what you're trying to accomplish, so I will give a couple examples.

Your access-list as written permits dialing if traffic is destined for one of the IP addresses 131.40.1.253, 150, 100 or 9, or if 131.20.1.43 is sending traffic. Right now your time-range access-list has absolutely no impact. You unconditionally permit your selected list of hosts to bring up the link at all times - the time-range entry is after everything. Also, it explicitly denies traffic between 8:00 to 18:00, and then you implicitly deny traffiic outside those hours as well, because you deny by default at the end of the access list.

If you are attempting to block ALL dialing attempts between the sites between 8:00 and 18:00 and THEN only allow selected hosts to bring up the link outside of those hours, use this:

access-list 100 deny ip any any time-range usage

access-list 100 permit ip any host 131.40.1.253

access-list 100 permit ip any host 131.40.1.150

access-list 100 permit ip any host 131.40.1.100

access-list 100 permit ip any host 131.40.1.9

access-list 100 permit ip host 131.20.1.43 any

If you are attempting to allow a few hosts to bring up the link anytime and then allow anything at all to bring up the link during "unblocked" hours, use this:

access-list 100 permit ip any host 131.40.1.253

access-list 100 permit ip any host 131.40.1.150

access-list 100 permit ip any host 131.40.1.100

access-list 100 permit ip any host 131.40.1.9

access-list 100 permit ip host 131.20.1.43 any

access-list 100 deny ip any any time-range usage

access-list 100 permit ip any any

Let me know if I did not cover a case you need.