CISCO1811 HTTPS traffic problem

Unanswered Question
Apr 28th, 2008

I am having trouble with a CISCO1811 allowing https traffic. I think it might be an error in my access lists. Any suggestions would be much appreciated.

Here is the configuration of the ACL:

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 192.168.1.99

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 216.226.1.24 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any host 216.226.1.26 echo-reply

access-list 101 permit icmp any host 216.226.1.26 time-exceeded

access-list 101 permit icmp any host 216.226.1.26 unreachable

access-list 101 permit tcp any host 216.226.1.26 eq 443

access-list 101 permit tcp any host 216.226.1.26 eq 22

access-list 101 permit tcp any eq 59002 host 192.168.1.99 eq 59002

access-list 101 permit tcp any host 216.226.1.26 eq cmd

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

no cdp run

Thanks,

Sena

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 04/28/2008 - 12:37

Sena

Which interfaces are the access-list applied on and in which direction.

Which access-list are you having problems with.

What is the source and destination IP that you are testing with https.

Jon

Richard Burts Mon, 04/28/2008 - 12:38

Sena

I am not clear from your description of the problem is the problem is with HTTPS to the router or HTTPS through the router to somewhere else.

You have posted 2 standard access lists and 2 extended access lists but have provided no information about how these access lists are used.

Without more information there is no way that we can see what your problem is. Please clarify what the problem is and clarify how the access lists are being used.

HTH

Rick

Frank Hoeben Tue, 04/29/2008 - 00:04

Your access-lists are a mess.

I have no idea what you're trying to accomplish with what's showing now, but the first (non remark) line of access-list 101 is probably your problem;

You deny all traffic originating from 192.168.1.0/24, which I assume is your local subnet.

mitchell.smith Tue, 04/29/2008 - 09:14

Sena,

Assuming that access-list 101 is what is filtering inbound traffic on your outside interface, you are allowing HTTPS traffic with the line:

access-list 101 permit tcp any host 216.226.1.26 eq 443

If the above assumption is correct, remove this line and HTTPS traffic will no longer be allowed in.

HTH

Mitchell

Actions

This Discussion