Cisco 800 Series – Resolving HTTP Interface Unavailability

ciscocisco-ios

I've got a running 800 series router, it is presenting a HTTP interface on port 8080 and it requests credentials when the IP:port is opened in a browser but I cannot get past the authentication.

I am able to access via SSH and can see what appears to be valid HTTP configuration, I am at a loss as to what might be amiss.

From the running config I can see the following:

aaa authentication login default local
...
ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
...
username patrick password 7 0512091A2C595D1D0D0D1E1C000509393F31383A31

The router is reporting the HTTP server is configured

#show ip http server all
HTTP server status: Enabled
HTTP server port: 8080
HTTP server active supplementary listener ports:
HTTP server authentication method: local

Everything else looks normal, I can see history of my connection attempts and all the modules are showing as active.

I've tried enabling IP HTTP debugging (debug ip http authentication) but I see nothing when I make an attempt to login via a browser.

Any thoughts on what I've missed out on here? I didn't configure this from scratch so there may be some weirdness elsewhere in the config, but I'm at a loss to work out what to check next.

!
! Last configuration change at 10:55:01 BST Wed May 3 2017
! NVRAM config last updated at 12:14:21 BST Thu May 25 2017
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service linenumber
!
hostname HOSTNAME
!
boot-start-marker
boot system flash flash:/c800-universalk9-mz.SPA.154-3.M7.bin
warm-reboot
boot-end-marker
!
!
logging buffered 51200
enable secret 5 0000000000000
!
aaa new-model
!
!
aaa authentication banner C
*******************************************************************************
aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication login SSLVPN local
aaa authorization exec default local 
aaa authorization network groupauthor local 
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TRUSTPOINT
 enrollment selfsigned
 ip-address 80.70.60.50
 subject-name CN=remote.HOSTNAMEgroup.com
 revocation-check crl
 rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain TRUSTPOINT
 certificate self-signed 01
  xxx
    quit
!
!
!
!
!
!
!
!


!
!
!
!
ip flow-cache timeout active 1
ip domain name HOSTNAME.LOCAL
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-W-E-K9 sn FCZ1921C2P3
!
!
username Patrick password 7 0512091A2C595D1D0D0D1E1C000509393F31383A31  
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect flash:/webvpn/anyconnect-macosx-i386-4.2.02075-k9.pkg sequence 2
!
!
!
!
!
controller VDSL 0
!
! 
!
crypto isakmp policy 50
 encr 3des
 hash md5
 authentication pre-share
 group 14
!
crypto isakmp policy 55
 encr 3des
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20
!
crypto isakmp client configuration group HOSTNAMEGroup
 key Q31h23rlNn1B57p9w0D4VwlxX78CTr74NH
 dns 192.168.50.2
 wins 192.168.50.2
 domain HOSTNAME.local
 pool VPN_CLIENTS
 acl 109
crypto isakmp profile VPNCLIENT
   match identity group VPN_CLIENTS
   client authentication list local
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile VTI
 set transform-set 3DES 
!
!
!
crypto dynamic-map DYNAMIC_MAP 10
 set transform-set 3DES 
 set isakmp-profile VPNCLIENT
!
!
crypto map HOSTNAME_RAS_VPN 10 ipsec-isakmp dynamic DYNAMIC_MAP 
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Tunnel65535
 description HOSTNAME to MSP_VPNCORE TunnelTunnel65535
 ip address 10.99.199.2 255.255.255.252
 ip mtu 1374
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 ip load-sharing per-packet
 ip tcp adjust-mss 1334
 tunnel source 80.70.60.50
 tunnel mode ipsec ipv4
 tunnel destination 190.160.120.90
 tunnel sequence-datagrams
 tunnel checksum
 tunnel path-mtu-discovery
 tunnel protection ipsec profile VTI
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 switchport access vlan 50
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1
 switchport access vlan 82
 no ip address
 duplex full
 speed 100
!
interface FastEthernet2
 switchport access vlan 50
 no ip address
 duplex full
 speed 100
!
interface FastEthernet3
 switchport access vlan 50
 no ip address
 duplex full
 speed 100
!
interface Wlan-GigabitEthernet0
 switchport access vlan 50
 no ip address
!
interface wlan-ap0
 ip unnumbered Vlan50
!
interface Vlan1
 no ip address
 ip virtual-reassembly in
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 192.168.50.2
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan82
 ip address 80.70.60.50 255.255.255.248
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 crypto map HOSTNAME_RAS_VPN
!
router eigrp 65535
 traffic-share min across-interfaces
 network 10.99.199.0 0.0.0.3
 network 10.168.50.0 0.0.0.255
 network 192.168.50.0
 passive-interface default
 no passive-interface Tunnel65535
 no passive-interface Vlan50
 no eigrp log-neighbor-changes
!
ip local pool NAT_POOL 10.168.50.0 10.168.50.255
ip local pool VPN_CLIENTS 192.168.50.220 192.168.50.229
ip local pool WEBVPN-POOL 192.168.50.230 192.168.50.234
ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Vlan82
ip flow-export version 9
ip flow-export destination 192.168.50.2 9996
ip flow-export destination 192.168.50.2 12245
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 360
 match destination address 0.0.0.0 0.0.0.0
!
no ip nat service sip udp port 5060
ip nat pool HOSTNAME 10.168.50.0 10.168.50.255 prefix-length 24 type match-host
ip nat inside source list 101 interface Vlan82 overload
ip nat inside source static tcp 192.168.50.2 3389 interface Vlan82 3389
ip nat inside source static tcp 192.168.50.2 80 interface Vlan82 80
ip nat inside source static tcp 192.168.50.2 443 interface Vlan82 443
ip nat inside source static tcp 192.168.50.2 1723 interface Vlan82 1723
ip nat inside source static tcp 192.168.50.2 987 interface Vlan82 987
ip nat inside source static tcp 192.168.50.2 4125 interface Vlan82 4125
ip nat inside source static tcp 192.168.50.2 25 interface Vlan82 25
ip nat inside source static tcp 192.168.50.50 990 interface Vlan82 990
ip nat inside source static udp 192.168.50.50 990 interface Vlan82 990
ip nat inside source static tcp 192.168.50.50 50000 interface Vlan82 50000
ip nat inside source static udp 192.168.50.50 50000 interface Vlan82 50000
ip nat inside source static tcp 192.168.50.50 50001 interface Vlan82 50001
ip nat inside source static udp 192.168.50.50 50001 interface Vlan82 50001
ip nat inside source static tcp 192.168.50.50 50002 interface Vlan82 50002
ip nat inside source static udp 192.168.50.50 50002 interface Vlan82 50002
ip nat inside source static tcp 192.168.50.50 50003 interface Vlan82 50003
ip nat inside source static udp 192.168.50.50 50003 interface Vlan82 50003
ip nat inside source static tcp 192.168.50.50 50004 interface Vlan82 50004
ip nat inside source static udp 192.168.50.50 50004 interface Vlan82 50004
ip nat inside source static tcp 192.168.50.50 50005 interface Vlan82 50005
ip nat inside source static udp 192.168.50.50 50005 interface Vlan82 50005
ip nat inside source static tcp 192.168.50.50 50006 interface Vlan82 50006
ip nat inside source static udp 192.168.50.50 50006 interface Vlan82 50006
ip nat inside source static tcp 192.168.50.50 50007 interface Vlan82 50007
ip nat inside source static udp 192.168.50.50 50007 interface Vlan82 50007
ip nat inside source static tcp 192.168.50.50 50008 interface Vlan82 50008
ip nat inside source static udp 192.168.50.50 50008 interface Vlan82 50008
ip nat inside source static tcp 192.168.50.50 50009 interface Vlan82 50009
ip nat inside source static udp 192.168.50.50 50009 interface Vlan82 50009
ip nat inside source static tcp 192.168.50.50 50010 interface Vlan82 50010
ip nat inside source static udp 192.168.50.50 50010 interface Vlan82 50010
ip nat inside source static tcp 192.168.50.7 22 interface Vlan82 22
ip nat inside source static tcp 192.168.50.7 9090 interface Vlan82 9090
ip nat inside source static 192.168.50.1 10.168.50.1 route-map MSP extendable
ip nat inside source static 192.168.50.2 10.168.50.2 route-map MSP extendable
ip nat inside source static 192.168.50.3 10.168.50.3 route-map MSP extendable
ip nat inside source static 192.168.50.10 10.168.50.10 route-map MSP extendable
ip route 0.0.0.0 0.0.0.0 80.70.60.52
ip route 190.160.120.90 255.255.255.255 80.70.60.52
ip ssh port 2220 rotary 1
ip ssh source-interface Vlan50
ip ssh rsa keypair-name HOSTNAMEgroup.com
ip ssh version 2
!
ip access-list standard ACL_SPLIT_TUNNEL
!
ip access-list extended ACL_Outside_In
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 255.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 permit tcp any any established
 permit udp any eq domain any
 permit udp any eq ntp any
 permit icmp any any unreachable
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any administratively-prohibited
 permit icmp any any echo
 permit esp host 80.160.170.70 any
 permit udp host 80.160.170.70 any eq isakmp
 permit udp host 80.160.170.70 any eq non500-isakmp
 permit udp any any gt 1023
 remark permit udp any any
 deny   icmp any any
 deny   udp any any log
 deny   tcp any any log
 deny   ip any any log
ip access-list extended RAS_VPN_CLIENTS
 permit ip any host 192.168.50.220
 permit ip any host 192.168.50.221
 permit ip any host 192.168.50.222
 permit ip any host 192.168.50.223
 permit ip any host 192.168.50.224
 permit ip any host 192.168.50.225
 permit ip any host 192.168.50.226
 permit ip any host 192.168.50.227
 permit ip any host 192.168.50.228
 permit ip any host 192.168.50.229
!
logging trap debugging
logging source-interface Loopback0
dialer-list 1 protocol ip permit
!
route-map MSP permit 10
 match ip address 199
 match interface Tunnel65535
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server packetsize 4096
snmp-server location HOSTNAME Group
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps flowmon
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps c3g
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps mac-notification
snmp-server enable traps energywise
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bfd
snmp-server enable traps bgp
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps ipmobile
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down
access-list 101 deny   ip 192.168.50.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.240.168.128 0.0.0.31
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.240.140.0 0.0.0.31
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.99.15.0 0.0.0.255
access-list 104 permit ip host 192.168.50.201 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.202 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.203 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.204 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.205 192.168.50.0 0.0.0.255
access-list 109 permit ip any host 192.168.50.220
access-list 109 permit ip any host 192.168.50.221
access-list 109 permit ip any host 192.168.50.222
access-list 109 permit ip any host 192.168.50.223
access-list 109 permit ip any host 192.168.50.224
access-list 109 permit ip any host 192.168.50.225
access-list 109 permit ip any host 192.168.50.226
access-list 109 permit ip any host 192.168.50.227
access-list 109 permit ip any host 192.168.50.228
access-list 109 permit ip any host 192.168.50.229
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.99.0.0 0.0.255.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
alias exec ap service-module wlan-ap0 session
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 rotary 1
 transport input ssh
!
scheduler allocate 20000 1000
ntp source Vlan50
ntp server 2.uk.pool.ntp.org
ntp server 0.uk.pool.ntp.org minpoll 10
ntp server 1.uk.pool.ntp.org
ntp server 3.uk.pool.ntp.org
onep
!
!
!
!
webvpn gateway WEBVPN-GATEWAY
 ip address 80.70.60.50 port 9443  
 ssl encryption aes256-sha1
 ssl trustpoint TRUSTPOINT
 logging enable
 inservice
 !
webvpn context WEBVPN-CONTEXT
 title "HOSTNAME VPN"
 !
 acl "SSL-ACL"
   permit ip any 192.168.50.0 255.255.255.0
 login-message "HOSTNAME WebVPN"
 aaa authentication list SSLVPN
 gateway WEBVPN-GATEWAY
 max-users 8
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
 !
 policy group WEBVPNPOLICY
   functions svc-enabled
   filter tunnel SSL-ACL
   svc address-pool "WEBVPN-POOL" netmask 255.255.255.0
   svc default-domain "HOSTNAME.local"
   svc rekey method new-tunnel
   svc split include 192.168.50.0 255.255.255.0
   svc dns-server primary 192.168.50.2
   svc wins-server primary 192.168.50.2
 default-group-policy WEBVPNPOLICY
!
end

Best Answer

Try to increase privilege for the user by executing following:

username Patrick privilege 15 password 7 0512091A2C595D1D0D0D1E1C000509393F31383A31

Do you receive some error message when trying?

Are you sure that you are using the correct username ?

(Note: "patrick" is listed in the config snipped, "Patrick" can be seen in the running config)

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco NAT – Configuring NAT from Outside Interface to Outside Interface

Answer: Assuming this is Cisco - no you can't NAT between two OUTSIDE interfaces*

Corollary: you can achieve what you want by migrating your NAT configuration to use NAT Virtual Interface (NVI). NVI precludes the need to have INSIDE/OUTSIDE interfaces and is the new way to do things. I think you will need at least 12.3T (possibly 12.4T will have to check).

*You can do what you are trying to do with the addition of a route-map and a loopback address but I'm not going to suggest or recommend it.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco NAT – Configuring NAT from Outside Interface to Outside Interface

Related Topic