04-28-2008 12:18 PM - edited 03-05-2019 10:39 PM
I am having trouble with a CISCO1811 allowing https traffic. I think it might be an error in my access lists. Any suggestions would be much appreciated.
Here is the configuration of the ACL:
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.99
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 216.226.1.24 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 216.226.1.26 echo-reply
access-list 101 permit icmp any host 216.226.1.26 time-exceeded
access-list 101 permit icmp any host 216.226.1.26 unreachable
access-list 101 permit tcp any host 216.226.1.26 eq 443
access-list 101 permit tcp any host 216.226.1.26 eq 22
access-list 101 permit tcp any eq 59002 host 192.168.1.99 eq 59002
access-list 101 permit tcp any host 216.226.1.26 eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
no cdp run
Thanks,
Sena
04-28-2008 12:37 PM
Sena
Which interfaces are the access-list applied on and in which direction.
Which access-list are you having problems with.
What is the source and destination IP that you are testing with https.
Jon
04-28-2008 12:38 PM
Sena
I am not clear from your description of the problem is the problem is with HTTPS to the router or HTTPS through the router to somewhere else.
You have posted 2 standard access lists and 2 extended access lists but have provided no information about how these access lists are used.
Without more information there is no way that we can see what your problem is. Please clarify what the problem is and clarify how the access lists are being used.
HTH
Rick
04-29-2008 12:04 AM
Your access-lists are a mess.
I have no idea what you're trying to accomplish with what's showing now, but the first (non remark) line of access-list 101 is probably your problem;
You deny all traffic originating from 192.168.1.0/24, which I assume is your local subnet.
04-29-2008 09:14 AM
Sena,
Assuming that access-list 101 is what is filtering inbound traffic on your outside interface, you are allowing HTTPS traffic with the line:
access-list 101 permit tcp any host 216.226.1.26 eq 443
If the above assumption is correct, remove this line and HTTPS traffic will no longer be allowed in.
HTH
Mitchell
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: