Solved: ACL is blocking HTTP(s) even though it is set to Permit

Mike McCotter · ‎05-05-2024

Hi all,

I'm working on a Packet Tracer project, and I am stumped as to why my ACL will not permit traffic from port 80 and 443 to my web server. With the ACL not binded to G0/0/0.40 I have full access to the web server (HTTP(s), ftp, ping). When I bind the ACL to interface G0/0/0.40 everything is block. This is a simple ACL, so why would everything be blocked? I appreciate any guidance or insite to my mistake.

Basic network setup:

PC1--> Switch 1--> Router 1--> Router 2 (G0/0/0.40)--> Switch 3--> Web Server (10.99.40.2)

ACL and G0/0/0.40:

interface GigabitEthernet0/0/0.40
encapsulation dot1Q 40
ip address 10.99.40.1 255.255.255.0
ip access-group HTTP(s)_ONLY in
ipv6 address 2001:DB8:1:40::1/64

ip access-list extended HTTP(s)_ONLY
permit tcp any host 10.99.40.2 eq www
permit tcp any host 10.99.40.2 eq 443
deny ip any any

Full Running-Config:

Current configuration : 2229 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 10.99.10.0 10.99.10.9
ip dhcp excluded-address 10.99.20.0 10.99.20.9
ip dhcp excluded-address 10.99.30.0 10.99.30.9
ip dhcp excluded-address 10.99.40.0 10.99.40.9
!
ip dhcp pool ACCOUNTING
network 10.99.10.0 255.255.255.0
default-router 10.99.10.1
dns-server 8.8.8.8
ip dhcp pool HR
network 10.99.20.0 255.255.255.0
default-router 10.99.20.1
dns-server 8.8.8.8
ip dhcp pool SALES
network 10.99.30.0 255.255.255.0
default-router 10.99.30.1
dns-server 8.8.8.8
ip dhcp pool IT
network 10.99.40.0 255.255.255.0
default-router 10.99.40.1
dns-server 8.8.8.8
!
!
!
no ip cef
ipv6 unicast-routing
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.30
encapsulation dot1Q 30
ip address 10.99.30.1 255.255.255.0
ipv6 address 2001:DB8:1:30::1/64
!
interface GigabitEthernet0/0/0.40
encapsulation dot1Q 40
ip address 10.99.40.1 255.255.255.0
ip access-group HTTP(s)_ONLY in
ipv6 address 2001:DB8:1:40::1/64
!
interface GigabitEthernet0/0/1
no ip address
ip nat outside
duplex auto
speed auto
shutdown
!
interface Serial0/2/0
ip address 10.99.100.2 255.255.255.252
ipv6 address 2001:DB8:1:100::2/64
!
interface Serial0/2/1
ip address 10.99.200.1 255.255.255.252
ip nat inside
ipv6 address 2001:DB8:1:200::1/64
clock rate 2000000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
passive-interface GigabitEthernet0/0/0
network 10.99.100.0 0.0.0.3 area 0
network 10.99.200.0 0.0.0.3 area 0
network 10.99.30.0 0.0.0.255 area 0
network 10.99.40.0 0.0.0.255 area 0
!
ipv6 router ospf 13
log-adjacency-changes
!
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes
!
ip nat inside source static 10.99.40.2 209.165.200.102
ip classless
!
ip flow-export version 9
!
!
ip access-list extended HTTP(s)_ONLY
permit tcp any host 10.99.40.2 eq www
permit tcp any host 10.99.40.2 eq 443
deny ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

MHM Cisco World · ‎05-05-2024

ip access-group HTTP(s)_ONLY OUT

Make direction OUT and it will work

MHM

View solution in original post

balaji.bandi · ‎05-05-2024

in and out keywords specify in which direction you are activating the ACL.
IN (in) means that ACL is applied to the traffic coming into the interface
while the OUT(out) keyword means that the ACL is applied to the traffic leaving the interface.

So try as below : ( assuming that you mentioned without ACL all working as expected)

interface GigabitEthernet0/0/0.40
ip access-group HTTP(s)_ONLY out

still issue, post show access-list output or debug the flow.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help