is there a way to limit http access to a device to one local ip

paul amaral · ‎05-18-2022

Hi, is there a way to limit http/s access to a Cisco router or switch to one locally configured ip. right now it seems like I can pull up the http gui on any locally configured ip address including subnet broadcasts. Using IOS 16.9.4 XE.

Paul

marce1000 · ‎05-18-2022

- Review this thread : https://community.cisco.com/t5/routing/blocking-web-interfaces-in-cisco-ios/td-p/2696699

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Flavio Miranda · ‎05-18-2022

Hi

You can try this for IOS-XE

Router(config)# ip access-list standard 20
Router(config-std-nacl)# permit x.x.x.x x.x.x.x
Router(config-std-nacl)# exit

Router(config)# ip http access-class 20

paul amaral · ‎05-18-2022

Flavio, that's the issue I have a http access list setup, but it looks like the router will answer for any locally configured ip. This is he behavior I'm trying to stop but doesn't look possible. From what I see the router will answer http/s requests for any that it has locally configure, on vlans or physical interfaces.

Thanks,

Paul

Georg Pauwen · ‎05-18-2022

Hello,

what did you actually configure ? Did you allow just that one host (as in the example below) ?

access-list 1 permit host 192.168.1.15
ip http access-class 1
!
ip http authentication local