This is just a quick post to show how to configure Time Based Access Control Lists. My aim is to only allow telnet access to the Jet Direct in the Test network between 18:00 and 23:59 on a daily basis.
So this post makes sense I should mention that I am using the network in the diagram below and I am NAT'ing 10.0.1.243 to the host in the Test network on 10.0.2.10.
Router1
Create a static NAT mapping to the Jet Direct Printer
Router1(config)#ip nat inside source static 10.0.2.10 10.0.1.243
I then check I can ping the Jet Direct and telnet to it.
MacBook
MacBook:~ syn$ ping -c 2 10.0.1.243
PING 10.0.1.243 (10.0.1.243): 56 data bytes
64 bytes from 10.0.1.243: icmp_seq=0 ttl=59 time=9.490 ms
64 bytes from 10.0.1.243: icmp_seq=1 ttl=59 time=3.068 ms
MacBook:~ syn$ telnet 10.0.1.243
Trying 10.0.1.243...
Connected to 10.0.1.243.
Escape character is '^]'.
HP JetDirect
Please type "?" for HELP, or "/" for current settings
> exit
EXITING WITHOUT SAVING ANY ENTRIES
> Connection closed by foreign host.
Router1
Now I create the access list.
Router1(config)#ip access-list extended TELNET_TO_JETDIRECT
Router1(config-ext-nacl)#permit tcp 10.0.1.0 0.0.0.255 10.0.1.243 0.0.0.0 eq 23 time-range EVENING log
Router1(config-ext-nacl)#deny tcp 10.0.1.0 0.0.0.255 10.0.1.243 0.0.0.0 eq 23 log
Router1(config-ext-nacl)#permit ip any any
Router1(config-ext-nacl)#exit
I create a time range for the ACL
Router1(config)#time-range EVENING
Router1(config-time-range)#periodic daily 18:00 to 23:59
I check the ACL
Router1#sh ip access-lists
Extended IP access list TELNET_TO_JETDIRECT
10 permit tcp 10.0.1.0 0.0.0.255 host 10.0.2.10 eq telnet log time-range EVENING (active)
20 deny tcp 10.0.1.0 0.0.0.255 host 10.0.2.10 eq telnet log
30 permit ip any any
I apply the ACL to an interface
Router1(config)#interface ethernet 1
Router1(config-if)#ip access-group TELNET_TO_JETDIRECT in
Router1(config-if)#end
I check the ACL has applied
Router1#sh ip interface ethernet 1 | include Inbound
Inbound access list is TELNET_TO_JETDIRECT
Recheck the ACL after telneting to the JetDirect
Router1#sh ip access-lists
Extended IP access list TELNET_TO_JETDIRECT
5 permit tcp 10.0.1.0 0.0.0.255 host 10.0.1.243 eq telnet log time-range EVENING (active) (9 matches)
20 deny tcp 10.0.1.0 0.0.0.255 host 10.0.1.243 eq telnet log
30 permit ip any any (60 matches)