SSL & Access lists

[jcanfer]

When you use access lists and you access a website with SSL encryption, is an entry for port 443 in the outbound access list sufficient? How does the process work for connecting to an SSL site?

I only ask as I get a variety of odd syslog messages when I access a URL with SSL. Generally the error goes;

Deny TCP (no connection) from [ISP IP]/80 to [global IP from pool]/[any port]flags ACK on interface outside

Any ideas? It looks like I may not have set up my global pool of IP addresses set correctly.

Any ideas?

Thanks

Jim

 

[munsonbrown]

In your browser, are you typing https://

If not, you are initiating the connection on port 80 (HTTP) and the site will redirect to port 443. This is the way most bank sites and credit card sites work. If you type https in the browser, all you need is 443.

 

[jcanfer]

No they are definitely redirects from port 80 - 443. However, I don't think the problem is SSL related now.

I've been getting a lot of the same errors with just a standard ftp download. According to Cisco the error (106015) is caused as there is no association to the incoming packet in the connection table.

The trouble is, I have no way of checking to see what these packets are yet and if my config is duff. I also seem to be having trouble accessing net. Sometimes I get straight on, but other times I just get "This page could not be found etc." Odd things afoot! Ideas anyone - please!