Sunday 18 April 2010

Time Based Access Control Lists

This is just a quick post to show how to configure Time Based Access Control Lists. My aim is to only allow telnet access to the Jet Direct in the Test network between 18:00 and 23:59 on a daily basis.

So this post makes sense I should mention that I am using the network in the diagram below and I am NAT'ing 10.0.1.243 to the host in the Test network on 10.0.2.10.




Router1

Create a static NAT mapping to the Jet Direct Printer

Router1(config)#ip nat inside source static 10.0.2.10 10.0.1.243


I then check I can ping the Jet Direct and telnet to it.

MacBook

MacBook:~ syn$ ping -c 2 10.0.1.243
PING 10.0.1.243 (10.0.1.243): 56 data bytes
64 bytes from 10.0.1.243: icmp_seq=0 ttl=59 time=9.490 ms
64 bytes from 10.0.1.243: icmp_seq=1 ttl=59 time=3.068 ms


MacBook:~ syn$ telnet 10.0.1.243
Trying 10.0.1.243...
Connected to 10.0.1.243.
Escape character is '^]'.

HP JetDirect

Please type "?" for HELP, or "/" for current settings
> exit
EXITING WITHOUT SAVING ANY ENTRIES
> Connection closed by foreign host.



Router1

Now I create the access list.

Router1(config)#ip access-list extended TELNET_TO_JETDIRECT
Router1(config-ext-nacl)#permit tcp 10.0.1.0 0.0.0.255 10.0.1.243 0.0.0.0 eq 23 time-range EVENING log
Router1(config-ext-nacl)#deny tcp 10.0.1.0 0.0.0.255 10.0.1.243 0.0.0.0 eq 23 log
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit
Bold

I create a time range for the ACL

Router1(config)#time-range EVENING
Router1(config-time-range)#periodic daily 18:00 to 23:59


I check the ACL

Router1#sh ip access-lists
Extended IP access list TELNET_TO_JETDIRECT
10 permit tcp 10.0.1.0 0.0.0.255 host 10.0.2.10 eq telnet log time-range EVENING (active)
20 deny tcp 10.0.1.0 0.0.0.255 host 10.0.2.10 eq telnet log
30 permit ip any any


I apply the ACL to an interface

Router1(config)#interface ethernet 1
Router1(config-if)#ip access-group TELNET_TO_JETDIRECT in
Router1(config-if)#end


I check the ACL has applied

Router1#sh ip interface ethernet 1 | include Inbound
Inbound access list is TELNET_TO_JETDIRECT


Recheck the ACL after telneting to the JetDirect

Router1#sh ip access-lists
Extended IP access list TELNET_TO_JETDIRECT
5 permit tcp 10.0.1.0 0.0.0.255 host 10.0.1.243 eq telnet log time-range EVENING (active) (9 matches)
20 deny tcp 10.0.1.0 0.0.0.255 host 10.0.1.243 eq telnet log
30 permit ip any any (60 matches)
Posted by at
Labels: ,
Subscribe to: Posts (Atom)