router web access

Unanswered Question
Apr 16th, 2007

i use ssh and also have web access available to manage my 1721 router. when I disable telnet access on the vty ports (so i can just use ssh) web access becomes disabled as well. is this normal? how do i get around this? do i have to leave transport telnet enabled and then use an access list denying telnet, or is there an easier way?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
spremkumar Mon, 04/16/2007 - 20:12

Hi Matt

AFAIK you are going to establish the web access through the port you are going to define using ip http port followed by the port number.

So i dont think so by disabling the line vty access your web is getting blocked.

whats the exact error message you are getting or whats the display when you try doing web access...


Craig Balfour Mon, 04/16/2007 - 23:43

Where are you applying the access-list to block telnet?

The correct way is to apply an access-list to the vty line interfaces using the access-class command.

Here is an example:

ip access-list extended VTY-LOCKDOWN2

permit tcp any eq 22 log

deny tcp any any eq 22 log

permit ip any any

line vty 0 15

access-class VTY-LOCKDOWN2 in

If the access-list is applied using the access-class command to the correct interface it should not effect web access to the router. However, if you apply the access-list using the access-group command on, say, interface fa0 you will end up blocking http access to your router and probably other protocols as well.

The correct way to control access to the web interface is to use the ip http access-class as follows:

ip access-list standard 40


deny any

ip http access-class 40

Richard Burts Tue, 04/17/2007 - 03:46


If the objective is to permit only SSH and deny telnet then your access list is flawed because after denying tcp any any eq 22 you permit ip any any which would permit telnet.

And I believe that if the objective is to permit only SSH and deny telnet that a more simple approach is better: under the vty lines specify transport input ssh. This will allow ssh and will not allow telnet.

I agree with you that blocking telnet should not block HTTP access. Perhaps if we could see the configuration being used we could identify what is impacting the web access.



Craig Balfour Tue, 04/17/2007 - 04:04

Hi Rick,

Of course - you are correct. I copied this access-list directly from a reply I did a few days ago and forgot to update it.

A more appropriate access-list to permit SSH from a particular network and block telnet (any other remote terminal protocol) would be:

ip access-list extended VTY-LOCKDOWN2

permit tcp any eq 22

deny tcp any any

As you say, an even better approach would be to just restrict the protocols available on the vty, and perhaps add an access-list ensure that remote terminal access is restricted to the local LAN:

ip access-list standard VTY-LOCKDOWN3


deny any

line vty 0 15

transport input ssh

access-class VTY-LOCKDOWN3 in

Richard Burts Tue, 04/17/2007 - 05:09


I certainly agree that the most secure implementation includes both the transport input ssh under the vty and an access class to restrict source addresses.

My experience with access-class on the vty is that using standard access lists works best. The complexity introduced by extended access lists for access class is generally not worth it.




This Discussion