Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

About Time Restriction Access List

Hello there,

Good Day,

I know that when i assign a security level of 0 on the outside interface means that i allow all types of traffic from inside to outside at any time without ACL applied to the inside interface.However,i need to control certain users inside my local network to access specific destinations at specific time. Does it mean that i have to increase my security level to 50 on outside interface in order to apply a time range ACL on the inside interface?

I'll appreciate your fast response.

Regards,

Turbo

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: About Time Restriction Access List

Hi Turbo,

With no ACL's in use the PIX will allow traffic to flow from one interface to another providing the source interface is of a higher security level than the destination.

You mentioned that you will need to create an ACL on the outside - you will only need to do this if you want to accept inbound connections that are initiated from the outside interface. This has always been the case for you if your outside security level is 0.

To create your ACL's with a time range, ensure that your PIX clock is set to the correct time as that is the clock the ACL's use to action their time range against.

After that the commands you have shown above should create the ACL allowing http from 192.168.3.0/24 to any during the time and date stated in your post.

Are there any error messages showing when you attempt the connection?

Ian

11 REPLIES
New Member

Re: About Time Restriction Access List

Even though the security level is 100, you can still apply acl's to that interface.

New Member

Re: About Time Restriction Access List

Hello mgaysek,

Good Day,

Thank you for your valuable response regarding my issue. However,when i apply an ACL to the inside interface in inbound direction even if the sec level is 100, no traffic take effect and no internet connectivity and when i remove this ACL the traffic goes back.

Any suggestions?

Regards,

Turbo

Silver

Re: About Time Restriction Access List

This should work, but you need a nat/global combo for the internal users to get out.. Here is an example:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 250.250.250.0 255.255.255.0 (or whatever your public space is)

access-list inside_access permit ip any any

access-group inside_access in interface inside

New Member

Re: About Time Restriction Access List

Hello Walker,

I'm already created a dynamic nat pool for the internal network since there is an internet traffic when i remove the ACL applied to the inside.

any suggestions?!

Regards,

Turbo

Re: About Time Restriction Access List

Hi,

Please provide the configuration that you have tried, for us to check.

-VJ

New Member

Re: About Time Restriction Access List

Hi Turbo,

Raising the security level to 50 shouldn't make a difference as the inside will still be a higher security level than the outside whether it is 0 or 50 (presuming of course that your inside is set to the default 100).

You should be able to set a time range to an ACL on the inside interface without a problem. Can you describe what it it you are looking to achieve and at what times please. Also, what version of PIX are you running.

Thanks,

Ian

Re: About Time Restriction Access List

Hi,

Ian is right. Increasing the sec level will not make much different.

Basically, you need to define time-range name. Your PIX/ASA mustbe set to use correct time/date. Then create ACL permitting/denying access to host/subnet with the time-range name. You can apply it for inbound and outbound ACL.

For more info, check the following url on how to use time-range with ACL:

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fd7f7.html#wp1275493

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450bf0.html#wp1068726

Rgds,

AK

New Member

Re: About Time Restriction Access List

Hello lan,

Since the sec level on the outside is 0 ... this means that all traffic from inside to outside are permitted. Also,this means that if i raise this number to a higher number so most traffic from inside to outside are not permitted. In that case, i can apply an ACL on the inside in order to allow certain traffic from inside to outside at specific times. Vice versa, the sec level 100 on the inside means that all traffic from outside to inside are denied... so creating ACL on the outside is a must and of course correct me if i am wrong... :)

I am using Cisco PIX 525 and OS 7.0(1)...

My configuration as follows:

pix(config)#time-range sales_dpt

pix(config-time-range)#absolute start 09:00 11 august 2006 end 17:00 11 september 2006

pix(config-time-range)#exit

pix(config)#access-list timed_sales permit tcp 192.168.3.0 255.255.255.0 any eq 80 time-range sales_dpt

pix(config)#access-group timed_sales in interface inside

Thanks...

Turbo

New Member

Re: About Time Restriction Access List

Hi Turbo,

With no ACL's in use the PIX will allow traffic to flow from one interface to another providing the source interface is of a higher security level than the destination.

You mentioned that you will need to create an ACL on the outside - you will only need to do this if you want to accept inbound connections that are initiated from the outside interface. This has always been the case for you if your outside security level is 0.

To create your ACL's with a time range, ensure that your PIX clock is set to the correct time as that is the clock the ACL's use to action their time range against.

After that the commands you have shown above should create the ACL allowing http from 192.168.3.0/24 to any during the time and date stated in your post.

Are there any error messages showing when you attempt the connection?

Ian

New Member

Re: About Time Restriction Access List

Hello lan,

Thanks a lot for your valuable response always. I discovered something i didn't know at all that when i create an ACL and apply it on the inside interface in inbound direction, this ACL override the default sec level 100 and i need to allow at least www and dns.

For example, i created an ACL to allow telnet traffic and applied it on the inside. Guess what!! of course the internet traffic drops because i didn't at least define a www and dns entries on this ACL as well... :)

I think this case is resolved...

Thanks lan.

Regards,

Turbo

New Member

Re: About Time Restriction Access List

That's great news, take care.

Ian

127
Views
0
Helpful
11
Replies