Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2664
Views
5
Helpful
3
Replies

Blocking web interfaces in Cisco IOS

Go to solution
narellano93
Level 1
Level 1

‎06-29-2015 09:20 AM - edited ‎03-05-2019 01:46 AM

I currently work for a WISP and we are currently using a Cisco 3800 series edge router. I'm here to ask the forums for the best way through ACLs to block our web interfaces for all of the routers inside of our network from all sources outside of our network. I understand that I can block the port 8080 in the inbound interface but there are customers who use that port for their own routers and I don't want to block them from being able to access their own equipment. As of right now each customer doesn't have their own static external IP address. As of right now each town has its own router and the customers have internals inside their towns router. I'm just looking for ideas here, I want to block all access from the internet to be able to even access the web interface. I know I could probably change the management port on the routers and block the port I use but I figured I'd ask here to get second opinions for best practices.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Falconer
Level 1
Level 1
In response to narellano93

‎07-01-2015 08:16 AM

Thanks for providing a littler more detail.

I would still say that using an ACL plus the access-class command is the best way to go. Even if you change the management port on the routers, you should still have an ACL defining what networks can manage the device.

The easiest way will be to just define the source of permitted management traffic, example 10.128.192.0/24. Like any other ACL, all other traffic will just get denied.

ip access-list standard 1

    permit 10.128.192.0 0.0.0.255

ip http access-class 1

 

I would also suggest applying the access-class command the the vty lines.

View solution in original post

3 Replies 3

Go to solution
Robert Falconer
Level 1
Level 1

‎06-30-2015 03:02 PM

I don't totally follow what you are trying to block from where. But, you can use an ACL and apply it to your vty interfaces or web interfaces that permits management from only specific IP addresses that you define.

access-list x permit y

line vty 0 4

access-class x in

 

ip http access-class x

0 Helpful

Go to solution
narellano93
Level 1
Level 1
In response to Robert Falconer

‎07-01-2015 08:07 AM

Sorry if I didn't make a lot of sense lol. So basically I have an edge router connected to our bandwidth provider (on the WAN side). On the LAN side of the edge router we have a rural WISP network. As of right now each tower has its own router and it has an external IP address. So because of this all of the customers at each towns LAN side is using internal IP address so when it goes out onto the internet the source IP is just the towers router. What I'd like to do is block the management access on those routers from the internet (they are https enabled and using port 8080). I don't want to block port 8080 altogether though because some customers behind those routers might be using them for their router access. Is the only solution to change the management port of our routers?

0 Helpful

Go to solution
Robert Falconer
Level 1
Level 1
In response to narellano93

‎07-01-2015 08:16 AM

Thanks for providing a littler more detail.

I would still say that using an ACL plus the access-class command is the best way to go. Even if you change the management port on the routers, you should still have an ACL defining what networks can manage the device.

The easiest way will be to just define the source of permitted management traffic, example 10.128.192.0/24. Like any other ACL, all other traffic will just get denied.

ip access-list standard 1

    permit 10.128.192.0 0.0.0.255

ip http access-class 1

 

I would also suggest applying the access-class command the the vty lines.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card