Suppose you have a remote site which connects back to your corporate headquarters via a site to site VPN between two Cisco routers. To ensure the VPN is only established between operating hours, a time based access list can be used.

Using the ‘time-range’ command allows you to set a absolute or periodic time range. Absolute is very specific in that it only allows setting between two particular time periods.

R1(config-time-range)#absolute ?
  end    ending time and date
  start  starting time and date

Periodic allows a more defined list of time which includes weekdays and specific days of the week.

R1(config-time-range)#periodic ?
   Friday     Friday
   Monday     Monday
   Saturday   Saturday
   Sunday     Sunday
   Thursday   Thursday
   Tuesday    Tuesday
   Wednesday  Wednesday
   daily      Every day of the week
   weekdays   Monday thru Friday
   weekend    Saturday and Sunday

Three parts are required for time-based access-lists.

  1. Create the time-range
  2. Create the access-list referencing the time-range
  3. Apply the access-list to the interface

1. Create the Time Range

R1(config)#time-range ALLOW-VPN-DURING-BUSINESS-HOURS
R1(config-time-range)#periodic weekdays 09:00 to 17:00

2. Create the access-list referencing the time-range

ip access-list extended VPN
 permit udp any any eq isakmp log time-range ALLOW-VPN-DURING-BUSINESS-HOURS 
 permit esp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS 
 permit ahp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS 
 deny   udp any any eq isakmp
 deny   esp any any
 deny   ahp any any
 permit ip any any log

3. Apply the access-list to the interface

R1(config)#interface fa0/0
R1(config-if)#ip access-group VPN in

Be sure to be careful about the direction of the access-list due to the order of operation below; if applied in an in an outbound direction, the traffic would hit the encryption stage prior to hitting the outbound access-list.

Here’s the order of operations for the inside-to-outside list:

If IPSec, then check input access list
Decryption—for Cisco Encryption Technology (CET) or IPSec
Check input access list
Check input rate limits
Input accounting
Policy routing
Routing
Redirect to Web cache
NAT inside to outside (local to global translation)
Crypto (check map and mark for encryption)
Check output access list
Inspect context-based access control (CBAC)
TCP intercept
Encryption

https://www.techrepublic.com/article/understand-the-order-of-operations-for-cisco-ios/

Verification

R1#show time-range
time-range entry: ALLOW-VPN-DURING-BUSINESS-HOURS (active)
periodic weekdays 9:00 to 17:00

R1#show ip access-list
Extended IP access list VPN
10 permit udp any any eq isakmp log time-range ALLOW-VPN-DURING-BUSINESS-HOURS (active)
20 permit esp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS (active)
30 permit ahp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS (active)
40 deny udp any any eq isakmp
50 deny esp any any
60 deny ahp any any
70 permit ip any any log

About The Author

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. He has a passion for networking and cyber security. When he's not working, he's obsessing over German Shepherd Dogs.