access list fun...

rakemrakem Member Posts: 800
Ok im having a whole bunch of fun trying to get a access list working.

Topology is:

10.1.21.0/24
DELL 6248
192.168.21.0
int vlan1 int vlan3


I need devices in VLAN3 (192.168.21.0) to be able to communicate with the 10.1.21.0 subnet on certain ports, as shown in the ACL below.

so i have this access list:

access-list wireless permit tcp 192.168.21.0 0.0.0.255 any eq 3389
access-list wireless permit tcp 192.168.21.0 0.0.0.255 any eq telnet
access-list wireless permit icmp any any
access-list wireless permit udp any any eq 67
access-list wireless permit udp any any eq 68
access-list wireless permit tcp 192.168.21.0 0.0.0.255 any eq domain
access-list wireless permit udp 192.168.21.0 0.0.0.255 any eq domain
access-list wireless permit tcp any any eq 443

the direction i have applied this on is inbound on interface vlan3

So everything is working, i can RDP out, i can telnet, ping, DNS is good and DHCP works.

The only problem is that the last rule to allow HTTPS traffic is not working. We have two devices that have a web based console that needs to uses HTTPS. It just doesn't work, i can ping the host but can't connect using HTTPS.

As soon as i remove the ACL i can connect using HTTPS. But as soon as i put the ACL back on HTTPS gets blocked.

As you can see the ACL is set to allow any communication on 443. I have moved it to the top of the list and still get the same problem.....

So something must be missing in the list but i just can't see it right now... can anyone help me out?

cheers.
CCIE# 38186
showroute.net

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Have you tried monitoring the Sylogs (filter them if need be) while attempting HTTPS? Might give some clues.
    Also it's possible the consoles also use unencrypted content in conjunction with the HTTPS main frames/page. To start with I'd put a permit any(ip) any(protocol) to the IP of the Web controlled machines right before your HTTPS statement, if that works either do a packet capture to see what protocols are really being used or guess and remove the previous statement/add an allow for TCP/80.
    Last up what device are you using? Does it have any kind of SSL intercept/man-in-the-middle capabilities that might be getting in the way?
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • rakemrakem Member Posts: 800
    thanks for he relpy..

    managed to get it working with this ACL


    access-list wireless permit tcp any any eq 443
    access-list wireless permit tcp any eq 443 any


    thanks thou.
    CCIE# 38186
    showroute.net
Sign In or Register to comment.