Cisco ASA not returning http/https internally

panderson@natrinsic.com — Wed, 01 Sep 2021 15:20:20 GMT

We have an internal VLAN that we wish to have ACLs to allow https traffic for when applications need the access to perform upgrades. If we try to setup NAT it wont let us use port 443 because it is in use with VPN and SSL. The ACLs dont seem to have any effect on the traffic, though the packet tracer shows that the 443 from the outside doesnt make it past the ACL rules. I have attached the complete configuration (IPs have been replaced with letters) so that anyone may review and add any comments.

We have been using curl as a test for this. This should return a header from the site, but instead just hangs:

# curl -Is https://support.cisco.com

# show asp table socket

Protocol Socket State Local Address Foreign Address

SSL 00003148 LISTEN :443 0.0.0.0:*

SSL 00005a08 LISTEN :443 0.0.0.0:*

SSL 00006738 LISTEN :443 0.0.0.0:*

SSL 00009138 LISTEN :443 0.0.0.0:*

SSL 0000a6a8 LISTEN :443 0.0.0.0:*

Re: Cisco ASA not returning http/https internally

panderson@natrinsic.com — Thu, 02 Sep 2021 07:52:59 GMT

I decided the best method was to use wccp and a proxy server.

topic Cisco ASA not returning http/https internally in Network Security

Cisco ASA not returning http/https internally

Re: Cisco ASA not returning http/https internally