CAN'T ACCESS ISR4221 VIA WEB GUI

wanumet · ‎01-17-2022

Hello Kindly assist

I cant access the router via web ui

Bellow is the config

Yumbe-Hospital#sh run
Building configuration...


Current configuration : 7079 bytes
!
! Last configuration change at 16:34:59 UTC Mon Jan 17 2022
! NVRAM config last updated at 16:12:32 UTC Mon Jan 17 2022
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 75000
!
hostname Yumbe-Hospital
!
boot-start-marker
boot system flash bootflash:isr4200-universalk9_ias.16.12.05.SPA.bin
boot-end-marker
!
!
enable secret 9 $14$VEUi$63B51/zhnPAjE.$c5G/o5Ol0AKKHXg9RaGS0hGGxQV8GgxLY9TCoZ.6                                                                                        MuM
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 3 0
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@ci                                                                                        sco.com
 ! the email address configured in Cisco Smart License Portal will be used as co                                                                                        ntact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email
!
!
!
!
!
!
!
ip name-server 154.72.192.21 8.8.8.8
ip domain name www.yumbehospital.go.ug
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4009722129
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4009722129
 revocation-check none
 rsakeypair TP-self-signed-4009722129
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-4009722129
 certificate self-signed 01

        quit
!
!
no license feature hseck9
license udi pid ISR4221/K9 sn FGL2518LU5C
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
memory free low-watermark processor 67153
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username YH secret 9 $14$C7/o$gt6cihTBv2MBkE$He96/Td0WrPE..yM5z0UQ4j3yPhBKVDzT9t                                                                                        b4kJx7wU
!
redundancy
 mode none
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 ip address 172.16.0.1 255.255.254.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/0/0.2
 description vlan 2
 encapsulation dot1Q 2
 ip address 172.16.2.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/0/1
 ip address dhcp
 ip nat outside
 media-type rj45
 negotiation auto
!
ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip http secure-port 8081
ip nat inside source static tcp 172.16.0.254 80 154.72.215.230 80 extendable
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 154.72.215.229
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip access-list extended Web_acl
 10 permit ip any any
!
ip access-list standard 1
 10 permit 172.16.0.0 0.0.1.255
!
!
!
!
!
!
!
control-plane
!
banner login ^C
Welcome!
YUMBE HOSPITAL^C
banner motd ^C
Attention!
Authorized Access only.
^C
!
line con 0
 password MyBDis317
 transport input none
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password MyBDis317
!
ntp server time.google.com prefer
!
!
!
!
!
end

Yumbe-Hospital#

Georg Pauwen · ‎01-17-2022

Hello,

I assume you are trying to access the GUI externally through NAT ?

--> ip nat inside source static tcp 172.16.0.254 80 154.72.215.230 80 extendable

Do you get a prompt ? Which username and password are you using ?

wanumet · ‎01-17-2022

No, I am trying to access webui of router through LAN port

but then, even on WAN port, I cant access the router even through SSH

paul driver · ‎01-17-2022

Hello

so the lan port of the router is the wan port of the asa -

And you wish to access the router via http correct ?

if so then by default when you specify an outside interface in a ASA it will default to a security level 0 so the asa will then negate any traffic from originating or being allowed into the asa unless you manually allow it to do so

ASA
sh run object inline
sh run object group
sh run nat
sh nat detail
sh run access-list
sh access-group
sh run policy-map | be glo
sh route | be Ga
sh interface ip brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎01-17-2022

My first question is whether the original poster is able to ping the router successfully?

If so my second question is whether you are attempting to access http (and if so are you specifying port 8080 or attempting https (and if so are you specifying port 8081)?

When you attempt to access the GUI are you getting any response at all?

After you attempt to access the GUI can you check the router logs and see if there are any log messages about this attempt?

If attempts to SSH are not successful then I have these questions about that issue:

- are we sure that SSH is enabled? Please post the output of show ip ssh.

- what address are you using for the attempt to SSH?

- are you able to successfully ping that address?

- when you attempt to SSH do you get any response? If so what is the response?

- after you attempt SSH can you check the router logs and see if there are any messages about this attempt?

HTH

Rick