HTTPS Routing to branch locations

Answered Question
Jul 19th, 2007

Hi all,

I have some sort of routing/filtering issue that i cannot figure out. Setup: Cisco 2811 w/12.4 at branch office, frame relay to main office 3845 then a 4507 switch that is doing all routing, internet request are routed to a 3825 with Pix 515, IPS and spyware appliance in front of it. Users at the branch office can access HTTP we sites fine, when they try to access an HTTPS web site they get page cannot be displayed error. I have done as much tracing as i know how to and have figured that the HTTPS traffic is not even getting to the Spyware appliance, which is first in line to access the internet. Apparently somthing between the 2811 and the 4507 is blocking/dropping this traffic. I have verified that there are no ACL's on any of this equipment. Thanks for your assistance.

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 4 months ago

Joseph

There are a couple of alternatives which may help you see traffic through the routers in the data path. The first one that I would mention is NetFlow. NetFlow is pretty easy to turn on and has very minimal impact on the running system. It should show traffic going through the router showing source and destination address and source and destination port (be aware that the port numbers are displayed in hex so you need to translate the port number that you are looking for - though for your purposes seeing source and destination address may be sufficient).

Another alternative to consider would be using an ACL. Your previous post indicates that there are no ACLs being used so we would create a new ACL rather than modify an existing ACL. The objective is not to deny any traffic but just to show certain traffic going through the router. So create an ACL that does a permit for the traffic that you are interested in (perhaps pemit any any with the https port) and perhaps the log option if you want to see it printed out. Then a permit any any so that all traffic passes through. Then assign the ACL to the interface. I would probably put it on the outbound interface so that you can see that the traffic is passing through. An example might look like this, assuming that the outbound interface of the router was Fastethernet1/0:

access-list 101 permit tcp any any eq 443 log

access-list 101 permit ip any any

interface fastethernet1/0

ip access-group 101 out

then do some test traffic and watch your syslog for output showing traffic going through for HTTPS.

You might also consider turning on ip accounting as a way to observe traffic through the router and look for HTTPS.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 07/19/2007 - 07:19

Joseph

When most applications do work and one application does not work, my first instinct is to look for an ACL somewhere. But you say that there is not one. So my next guess would be to look for the possibility of anything doing something like Policy Based Routing that treats some traffic differently.

I am not clear from your description of the Spyware appliance as first in line whether it is closest to the Internet than the PIX or it is closest to the branch office than the PIX. I am wondering if there is some translation or some inspect on the PIX for HTTP but not HTTPS.

My other question would be are you sure that the web site that they are going to supports HTTPS as well as HTTP.

HTH

Rick

jkjackson Thu, 07/19/2007 - 08:00

Thanks for your reply, Rick.

The web site is HTTPS only.

To explain the spyware appliance. it is a barracuda web filter 310. it has two NICs that are bridged togather. The unit is trasparent to the network. The way our I-net traffic flows is as follows:

i-net request go to the default gateway(4507) it then goes through the spyware appliance, if it makes it trough all of the rules/acls there then it goes to the PIX, if it makes it past the pix it goes to the IPS, if it makes it through the IPS, it goes through the 3825, if it makes it thought the ACLs on the 3825, you connect to the internet. The spyware appliance loggs all connections that goes through blocked or unblocked. I see it logging all http request, but when i try to access https from the same client, there are no logs at all, as if it is not even getting that far. Is there some way i can see all traffic from a spiciffic ip/mac address on a switch/router to possibly see where the traffic is stopping?

Correct Answer
Richard Burts Thu, 07/19/2007 - 08:35

Joseph

There are a couple of alternatives which may help you see traffic through the routers in the data path. The first one that I would mention is NetFlow. NetFlow is pretty easy to turn on and has very minimal impact on the running system. It should show traffic going through the router showing source and destination address and source and destination port (be aware that the port numbers are displayed in hex so you need to translate the port number that you are looking for - though for your purposes seeing source and destination address may be sufficient).

Another alternative to consider would be using an ACL. Your previous post indicates that there are no ACLs being used so we would create a new ACL rather than modify an existing ACL. The objective is not to deny any traffic but just to show certain traffic going through the router. So create an ACL that does a permit for the traffic that you are interested in (perhaps pemit any any with the https port) and perhaps the log option if you want to see it printed out. Then a permit any any so that all traffic passes through. Then assign the ACL to the interface. I would probably put it on the outbound interface so that you can see that the traffic is passing through. An example might look like this, assuming that the outbound interface of the router was Fastethernet1/0:

access-list 101 permit tcp any any eq 443 log

access-list 101 permit ip any any

interface fastethernet1/0

ip access-group 101 out

then do some test traffic and watch your syslog for output showing traffic going through for HTTPS.

You might also consider turning on ip accounting as a way to observe traffic through the router and look for HTTPS.

HTH

Rick

jkjackson Fri, 07/20/2007 - 10:05

Rick,

Again thanks for your help. After several attempts to get our firewall managment company to look further into the issue. It turned out that they did not have routes/NATs in the firewall for the branch locations. After they modified the config it all started working. Even though they tald me it wasn't a firewall issue. I guess it just depends on who to talk to!

Richard Burts Sat, 07/21/2007 - 03:47

Joseph

I am glad that you got it worked out and the problem is fixed. Sometimes we need to keep investigating and asking people to re-evaluate what they have said or have found based on our new evidence.

Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will be able to read the solution that solved the problem. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion