03-10-2011 01:07 PM - edited 03-06-2019 04:01 PM
Been going through the configuration guide for the Cisco 890....
I am trying to enable http management on the LAN side so discovery will work using Cisco Configuration Professional...
Anyone know where I can get information to acheive this task?
03-10-2011 11:27 PM
Hi,
go to CLI and then:
1) configure a local user with privilege 15: user localuser privilege 15 secret localpass
2)enable http service: ip http server
3) authenticate http with the local user: ip http authentication local
4) if you've got no IP address on LAN interface then configure one
5) you should be good to go.
Regards.
Alain.
03-11-2011 08:20 AM
Thanks for your help....
FastEthernet ports 1-7 are configured:
interface Vlan100
description $FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
So, all I should really need to do is config a local user with privilege 15, enable the http service, and authenticate http with the local user?
03-11-2011 09:15 AM
I suppose one problem is that, this router was sent to me preconfigured..... Aside from the username and password that I use to console in, the enable password is also known to me. So, how can I determine if they have already configured a local user with priviledge 15, but neglected to enable http services?
I wouldn't have to interface with vlan1 when preforming this procedure? Or with any of the FE interfaces?
03-11-2011 11:07 AM
Hi,
You log into CLI with a console cable and then you enter username/password combination and then issue the command show privilege
you'll then know which privilege this configured user has.
For http just do show run | i http and you should see if http is enabled and local authentication also.
Regards.
Alain.
03-11-2011 12:07 PM
The router in question is at another location already in production.... God only knows why it wasn't configured for remote admin both on the WAN and LAN side.... Anyway....
FE1 - FE7 are tied to vlan1. For some reason, FE0 is configured on a network I don't even use, but, I am able to plug my laptop into FE0 rather than the console port to make changes....
My question I am sure is elementary..... I ran the commands you mentioned earlier for creating the user and enabling the http and so forth, but, I am still unable to discover the router. I am sure this is due to not being in the correct interface when configuring the services. I did all of the following from the config terminal on FE0....
1) configure a local user with privilege 15: user localuser privilege 15 secret localpass 2)enable http service: ip http server
3) authenticate http with the local user: ip http authentication local
4) if you've got no IP address on LAN interface then configure one
5) you should be good to go.
I still can't see the router on my LAN side for the network I NEED to see it from (tied to FE1-FE7).... so, do I need to repeat the steps from the vlan1 interface where my 192.168.77.1 network is configured?
Bah....
03-11-2011 10:13 PM
The CCP only discovers machines in the LAN.
So you've got to connect a machine to one of your ports in VLAN 100 with an ip in same subnet:
Just verify if dhcp is turned on for this VLAN or not: sh ip dhcp pool and then put your host nic for dhcp otherwise put a static in the vlan 100 subnet
interface Vlan100
description $FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
Regards.
Alain.
03-14-2011 08:03 AM
The 891 is in production.... I have over 40 machines pulling addresses from it currently, in fact, the machine I am typing on is leasing from it. FE interfaces 1-7 are tied to VLAN100 which is configured:
interface Vlan100
description $FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
when I try to discover the 891 on this LAN, I get the following:
Connection to the device could not be established. Either the device is not reachable or the HTTP service is not enabled on the device.
So, when I console into the 891, I guess my question would be... where do I run the command you originally gave me to enable http services on my LAN?
go to CLI and then:
1) configure a local user with privilege 15: user localuser privilege 15 secret localpass 2)enable http service: ip http server
3) authenticate http with the local user: ip http authentication local
4) if you've got no IP address on LAN interface then configure one
5) you should be good to go.
Or, which interface do I run them on?
Sorry to be such a newb.
Jason
03-14-2011 08:46 AM
Connection to the device could not be established. Either the device is not reachable or the HTTP service is not enabled on the device.
The question is which one is it?
So in privileged mode( after typing enable followed by the enable password): show run | i http and you'll see if it is really not enabled.
If it isn't then in global config( after typing config t) you can enter ip http server( or better ip http secure-server for https) and then ip http authentication local
Regards.
Alain.
03-14-2011 10:16 AM
yes....the http services are up and running on FE0. However, nothing is connected to that interface.
The instructions for CCP say first to:
Step 1: Log on to the router through an Ethernet port.
I am guessing this would be the port that feeds the uplink to my switches at that location. But, when I connect to that port, putty refuses connection to the routers gateway address of 192.168.77.1
So, I probably need to enable something else... just to be able to log on to the router from the LAN side. Would this be an ACL feature?
The people who did the initial config on the router said they ran the username name privilege 15 secret 0 password command on the FE0 interface. This means that it needs to be done on the other Ethernet interfaces as well?
Does running the ip http server command in global config enable this service on all ehternet interfaces simultaneously?
03-14-2011 11:22 AM
Does running the ip http server command in global config enable this service on all ehternet interfaces simultaneously?
this is a global command so it enables http connections to the router from all routed interfaces.
Would this be an ACL feature?
maybe an access-class for http or an ACL on inside interface: ---> post output of sh run | i http and also sh access-list, sh ip int Vlan100
Log on to the router through an Ethernet port.
This means you must have IP connectivity with the router: from where are you trying to communicate with the router with CCP? can you post a diagram?
Regards.
Alain.
03-14-2011 11:58 AM
I'm affraid it is the most simplistic of network topologies.
FiberSwitch-------->Cisco 891 (Gateway)----------->48 port gigabit switch------->nodes
Router IP (LAN side) on FE1 = 192.168.77.1/24
DHCP reserved 192.168.77.1-99
I am able to lease an ip, I can ping the router and everything else on the network (static devices, etc....), but I cannot telnet to the router or interface with it via CCS.
03-15-2011 12:09 AM
Hi,
So you can connect via console if I remember well , am I right? ok if so then in privileged mode do a show run | be line vty and show run | i ip http
and post output here.
Regards.
Alain.
03-15-2011 10:38 AM
show run | be line vty
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler max-task-time 5000
end
show run | i ip http
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
I also believe that I should probably do the following:
Security Audit enables the HTTP service on the router with an access class whenever possible. The HTTP service permits remote configuration and monitoring using a web browser, but is limited in its security because it sends a clear-text password over the network during the authentication process. Security Audit therefore limits access to the HTTP service by configuring an access class that permits access only from directly connected network nodes.
The configuration that will be delivered to the router to enable the HTTP service with an access class is as follows:
ip http server ip http access-class! !HTTP Access-class:Allow initial access to direct connected subnets ! !only access-list permit access-list deny any
03-16-2011 12:32 AM
Hi,
show run | be line vty
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
you have a restriction on the machines which can access this router via telnet.
And the same goes for http:
show run | i ip http
ip http server
ip http access-class 23
ip http authentication local
You'll have to edit access-list 23 : access-list 23 permit x.x.x.x y.y.y.y where x.x.x.x is the subnet your PC belongs to and y.y.y.y is the inverse mask calculated as such: each 255 in subnet mask becomes a 0 and inversely so eg mask 255.255.255.0 gives inverse mask of 0.0.0.255 and if in an octet the value is not 255 or 0 then you do 255 minus this value eg 255.255.252.0 gives 0.0.3.255
Regards.
Alain.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: