This is a nice quick one, which I think I already know the answer to. How many time-range ACL's can be applied to the same access list, to the same host, in the same traffic direction? Example;
absolute start 12:00 15 December 2012 end 14:00 15 December 2012
absolute start 12:00 22 December 2012 end 14:00 22 December 2012
access-list MATCH-WEB-TRAFFFIC extended deny tcp host 192.168.10.10 any eq www time-range UPDATES_DECEMBER_15
access-list MATCH-WEB-TRAFFFIC extended deny tcp host 192.168.10.10 any eq www time-range UPDATES_DECEMBER_22
My feeling after many hours of testing is you can only have one?
Yeah I was thinking that you could only have one time-range per ACL. Now my understanding for how a time-range group works is, the absolute command string means anytime between the start and end time activate the ACL. So the periodic command string will match anything within this time frame, weekday or weekend, activate the ACL to which the time-range is configured with.
Now if I was to use the absolute along with the periodic command string within the same time-range group, the absolute must match first before the periodic would be referenced by the firewall. So maybe you can answer me this then, if I use the following time-range syntax;
absolute start 12:00 15 January 2012 end 14:00 22 December 2012
periodic wednesday 12:00 to 14:00
access-list MATCH-WEB-TRAFFFIC extended deny tcp host 192.168.10.10 any eq www time-range UPDATES
Would this mean that the time range for the ACL to be active would be every Wednesday between 12:00 to 14:00 from January 15th to December 22nd? Or does the absolute command override the periodic command and the ACL is active from 12:00 on January 15th to 14:00 on December 22nd?
Thanks for the help
Interesting kind of doubt!
Copying exactly from the "Time-Based Access Lists using time ranges", consider that:
If a time-range command has both absolute and periodic values specified, then the periodic items
are evaluated only after the absolute start time is reached, and are not further evaluated after the
absolute end time is reached.
I am then pretty sure that the periodic time range validity occurs inside the absolute time range validity, in a logical AND fashion. To be clear:
ABSOLUTE: START END
PERIODIC: |--------| |---------| |---------| |---------|
RESULTS: |--------| |---------| |---------| |---------|
Do tou agree?
Just a quick update. Have tested my question from above and have found out the following;
The absolute syntax does not override the periodic time. For my test I used the following commands;
absolute start 09:55 21 March 2012 end 10:30 21 March 2012
periodic Wednesday 10:00 to 10:10
access-list inside_in extended permit ip any any time-range TEST
So I tried to connect out to the internet at 09:56 with no success. I then tried to connect again to the internet at 10:01 with success. I once again tried to connect at 10:11 with no success. So this has shown me that the periodic time syntax is used once it falls between the times outline in the absolute syntax.
So I think I might as well just use a time-range that will only use a periodic time. My need is to only allow my Windows update server reach the internet on the day after new updates are released. It would be nice tho if you could use multiple time-ranges within a ACL for the same host, it would make my life a lot easier
Also I have the FIREWALL study book and it did not say I could not have multiple time-ranges within the same ACL for the same host? Be nice if it did, would of saved me a couple of hours of pain
Thanks for the input Fabio