I have a cisco2611 with IOS ver 12.3(4)T3. once I enable CBAC,it will block all outbound https traffic,  even if I permit all ip traffic into outside interface.
how to let secure network to access https service of internet.
your response will be highly appreciated.

Is https the only traffic that is being blocked?
What interface is the CBAC being applied to?

yes, now only https is blocked. CBAC applyied to inbound direction of inside interface-f0/0, but it's same while applying to outbound direction of outside interface--f0/1.
pls see the relative configuration as follows:
ip inspect name CBAC fragment maximum 256 timeout 1
ip inspect name CBAC smtp
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC tcp
ip inspect name CBAC udp timeout 5
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
no crypto isakmp enable
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/0.10
encapsulation dot1Q 1 native
ip address 192.168.0.11 255.255.255.0
no ip redirects
ip nat inside
ip inspect CBAC in
!
interface FastEthernet0/0.11
encapsulation dot1Q 1 native
ip address 192.168.1.11 255.255.255.0
no ip redirects
ip nat inside
ip inspect CBAC in
!
interface FastEthernet0/1
ip address <ip assigned by ISP>
ip access-group 101 in
ip nat outside
duplex auto
speed auto
no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 <ip of outside gateway>
!
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 deny   ip any any log
!
control-plane
!

thanks for your response.

Nothing is really jumping out at me.  I know that you say it doesn't make a difference, but as a rule of Cisco, the CBAC should be configured on the same interface that the access-list is applied to.

I can't see anything wrong either.

How about you create an access-list to determine where the HTTPS traffic is getting dropped.

access-list 199 permit ip host x.x.x.x any log
access-list 199 permit ip any any
access-list 199 deny ip any any log

Now applied tha ACL:

interface Fastethernet 0/0.10 or 0/0.11
access-group 199 in


all this does is just log the packets from host x.x.x.x to any destination. If HTTPS is passing into the interface you should see it log the HTTPS traffic. If it's getting denied (which I don't how, but if it does) then the "deny ip any any log" will pick it up and log it.

Just trying to isolate the issue.

I typically apply my CBAC to my outside interface, along with my ACL.

good idea, I'll try it.
thanks  a lot