ip http server option

Unanswered Question
Oct 13th, 2007

Hi, I know many don't use the "ip http server" option but I do via the SDM. I was wondering can I just turn on https with "ip http secure-server" then turn off the http access?

What sort of rule would allow me to get on this from the internet address? I can get onto it via the VPN but not via the public IP, although I can using telnet.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Sat, 10/13/2007 - 16:59

You need to have http-server enabled to have secure-server.

You can create an ACL and apply it to the ip http server to allow only certain IPs.

Kevin Dorrell Sat, 10/13/2007 - 17:30

Sorry Edison, but the documentation seems to say differently:

"When enabling the secure HTTP server you should always disable the standard HTTP server to prevent insecure connections to the same services. Disable the standard HTTP server using the no ip http server command in global configuration mode (this is a precautionary step; typically, the HTTP server is disabled by default)."

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hnm_r/nmg_02h.htm#wp1030706

Kevin Dorrell

Luxembourg

whiteford Sat, 10/13/2007 - 21:44

Hi, I want to add that https rule so just pc can access it. Do you have an example I could use?

Edison Ortiz Sun, 10/14/2007 - 06:55

On this example, your PC is using IP address 192.168.1.20

ip http access-class 20

ip http secure-server

!

!

access-list 20 permit 192.168.1.20

!

Keep in mind, in order to turn on http secure-server, you need to run a k9 feature set. You can verify that you have a k9 feature set by typing show version and look for this line

"This product contains cryptographic features"

whiteford Sun, 10/14/2007 - 07:20

As a Cisco novice, is it very common that most Cisco guys don't use the web feature? I suppose I could just turn it on when I want to.

Edison Ortiz Sun, 10/14/2007 - 08:52

Very rare I see people using the web service, if you know your way around the command-line interface, http/s server is often disabled.

Actions

This Discussion