Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

blocking https traffic... help

Hello all,

Some of the higher ups are wanting to block some secure webmail traffic and were asking if Cisco had this option.

The only way I can think of is QoS Policy Based Routing... ? Is this correct?

And if so, what would be a basic setup for this scenrio. Like if I wanted to block 443 traffic from a specific subnet range?

Also, anyone know of a link that gives me the rundown on how to setup Policy Based Routing? Like what each step is for...

I've seen a couple threads about this, but the whole setup was kind of obscure to me...

Thanx in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: blocking https traffic... help

Hello Scott,

I am thinking is it not possible in your scenario to simply block TCP port 443 (HTTPS) from accessing the subnet by using an extended access list :

Let's say you want to block HTTPS traffic from subnet 192.168.1.0/24, you could configure an access list as following:

access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 443

access-list 101 deny 192.168.1.0 0.0.0.255 any eq 443

access-list 101 permit ip any any

and apply this access to your local interface, e.g.:

interface FastEthernet0/0

ip access-group 101 in

Does that make sense ?

Regards,

Nethelper

2 REPLIES
Bronze

Re: blocking https traffic... help

Hello Scott,

I am thinking is it not possible in your scenario to simply block TCP port 443 (HTTPS) from accessing the subnet by using an extended access list :

Let's say you want to block HTTPS traffic from subnet 192.168.1.0/24, you could configure an access list as following:

access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 443

access-list 101 deny 192.168.1.0 0.0.0.255 any eq 443

access-list 101 permit ip any any

and apply this access to your local interface, e.g.:

interface FastEthernet0/0

ip access-group 101 in

Does that make sense ?

Regards,

Nethelper

New Member

Re: blocking https traffic... help

Hello Nethelper,

Yes, the extended ACL does make sense. I don't know why I was thinking narrow for Group Policy. I believe this would work.

The company is wanting to block Gmail (abusing chat) and at it's current state, the normal HTTP is blocked via a Software Filter, but HTTPS is still accessable.

Thanks for the reply.

BTW, when is the ideal time to use Policy Routing? Just for load balancing or preferred path type stuff?

200
Views
0
Helpful
2
Replies
CreatePlease to create content