Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1493
Views
0
Helpful
2
Replies

blocking https traffic... help

Go to solution
Armegeden
Level 1
Level 1

‎04-06-2006 05:13 AM - edited ‎03-03-2019 02:41 AM

Hello all,

Some of the higher ups are wanting to block some secure webmail traffic and were asking if Cisco had this option.

The only way I can think of is QoS Policy Based Routing... ? Is this correct?

And if so, what would be a basic setup for this scenrio. Like if I wanted to block 443 traffic from a specific subnet range?

Also, anyone know of a link that gives me the rundown on how to setup Policy Based Routing? Like what each step is for...

I've seen a couple threads about this, but the whole setup was kind of obscure to me...

Thanx in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nethelper
Level 3
Level 3

‎04-06-2006 05:38 AM

Hello Scott,

I am thinking is it not possible in your scenario to simply block TCP port 443 (HTTPS) from accessing the subnet by using an extended access list :

Let's say you want to block HTTPS traffic from subnet 192.168.1.0/24, you could configure an access list as following:

access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 443

access-list 101 deny 192.168.1.0 0.0.0.255 any eq 443

access-list 101 permit ip any any

and apply this access to your local interface, e.g.:

interface FastEthernet0/0

ip access-group 101 in

Does that make sense ?

Regards,

Nethelper

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nethelper
Level 3
Level 3

‎04-06-2006 05:38 AM

Hello Scott,

I am thinking is it not possible in your scenario to simply block TCP port 443 (HTTPS) from accessing the subnet by using an extended access list :

Let's say you want to block HTTPS traffic from subnet 192.168.1.0/24, you could configure an access list as following:

access-list 101 deny tcp any 192.168.1.0 0.0.0.255 eq 443

access-list 101 deny 192.168.1.0 0.0.0.255 any eq 443

access-list 101 permit ip any any

and apply this access to your local interface, e.g.:

interface FastEthernet0/0

ip access-group 101 in

Does that make sense ?

Regards,

Nethelper

0 Helpful

Go to solution
Armegeden
Level 1
Level 1
In response to nethelper

‎04-07-2006 01:23 AM

Hello Nethelper,

Yes, the extended ACL does make sense. I don't know why I was thinking narrow for Group Policy. I believe this would work.

The company is wanting to block Gmail (abusing chat) and at it's current state, the normal HTTP is blocked via a Software Filter, but HTTPS is still accessable.

Thanks for the reply.

BTW, when is the ideal time to use Policy Routing? Just for load balancing or preferred path type stuff?

0 Helpful
Customers Also Viewed These Support Documents