Limiting access with time based ACLs
Suppose you have a remote site which connects back to your corporate headquarters via a site to site VPN between two Cisco routers. To ensure the VPN is only established between operating hours, a time based access list can be used.
Using the ‘time-range’ command allows you to set a absolute or periodic time range. Absolute is very specific in that it only allows setting between two particular time periods.
R1(config-time-range)#absolute ? end ending time and date start starting time and date
Periodic allows a more defined list of time which includes weekdays and specific days of the week.
R1(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday
Three parts are required for time-based access-lists.
- Create the time-range
- Create the access-list referencing the time-range
- Apply the access-list to the interface
1. Create the Time Range
R1(config-time-range)#periodic weekdays 09:00 to 17:00
2. Create the access-list referencing the time-range
ip access-list extended VPN permit udp any any eq isakmp log time-range ALLOW-VPN-DURING-BUSINESS-HOURS permit esp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS permit ahp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS deny udp any any eq isakmp deny esp any any deny ahp any any permit ip any any log
3. Apply the access-list to the interface
R1(config)#interface fa0/0 R1(config-if)#ip access-group VPN in
Be sure to be careful about the direction of the access-list due to the order of operation below; if applied in an in an outbound direction, the traffic would hit the encryption stage prior to hitting the outbound access-list.
Here’s the order of operations for the inside-to-outside list:
If IPSec, then check input access listhttps://www.techrepublic.com/article/understand-the-order-of-operations-for-cisco-ios/
Decryption—for Cisco Encryption Technology (CET) or IPSec
Check input access list
Check input rate limits
Redirect to Web cache
NAT inside to outside (local to global translation)
Crypto (check map and mark for encryption)
Check output access list
Inspect context-based access control (CBAC)
time-range entry: ALLOW-VPN-DURING-BUSINESS-HOURS (active)
periodic weekdays 9:00 to 17:00
R1#show ip access-list
Extended IP access list VPN
10 permit udp any any eq isakmp log time-range ALLOW-VPN-DURING-BUSINESS-HOURS (active)
20 permit esp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS (active)
30 permit ahp any any log time-range ALLOW-VPN-DURING-BUSINESS-HOURS (active)
40 deny udp any any eq isakmp
50 deny esp any any
60 deny ahp any any
70 permit ip any any log