ACL with time-range not working

DON BROWN · ‎08-27-2016

I want to block Internet access specifically ports 80 and 443 for a specific IP address during specific hours.

I was also trying to test the ACL by adding additional deny statements - possibly this is causing the issue - don't know.

Here is the relevant parts of the config

interface Vlan1
ip address 10.1.2.254 255.255.255.0
ip access-group SchoolHours in
ip nat inside
ip virtual-reassembly in

ip access-list extended SchoolHours
deny   tcp host 10.1.2.65 eq www any time-range schoolHours
deny   tcp host 10.1.2.65 eq 443 any time-range schoolHours
deny   tcp host 10.1.2.83 eq www any
deny   tcp host 10.1.2.84 eq www any
deny   tcp host 10.1.2.84 eq 443 any
deny   tcp host 10.1.2.83 eq 443 any
permit ip any any

time-range schoolHours
periodic weekdays 8:00 to 15:30

My laptop has address 10.1.2.84 but I am still able to browse the internet

Do I need to set up inspection of tcp traffic before this will work ?

Any suggestion most welcomed

Thanks

Karsten Iwen · ‎08-27-2016

You specified the ports 80 and 443 as source-ports, but you have to specify them as destination ports to make them work. Its's the server that uses (listens on) these ports:

ip access-list extended SchoolHours
 deny tcp host 10.1.2.65 any eq www time-range schoolHours
 deny tcp host 10.1.2.65 any eq 443 time-range schoolHours
 deny tcp host 10.1.2.83 any eq www
 deny tcp host 10.1.2.84 any eq www
 deny tcp host 10.1.2.84 any eq 443
 deny tcp host 10.1.2.83 any eq 443
 permit ip any any