Monday, June 10, 2019

Cisco Router as an HTTPS server


How to configure Cisco router to work as an HTTPS server


As we know (HTTPS) is the secure version of HTTP protocol, and to configure on Cisco router it will give you different options to configure and have encrypted data sent/received on the router.

I will start configuring a simple topology consist of two routers to work as server and client.


HTTP will be disabled on the router and only HTTPS will be enabled.


Server configuration:
You need to enable Telnet on your Line VTY

#ip http secure-server [enabled secure server connection " HTTPS"]
#ip http secure-ciphersuite 3des-cbc-sha    [adds encryption of DES to the cihpersuite]
#ip http secure-port 4343 [changes the HTTPS port to 4343 instead of 443]
#ip http max-connections 2   [limiting the incoming connections to 2]
#access-list 10 permit 192.168.1.0 0.0.0.255 log [access list to permit only to 192.168.1.0/24 and log the hits]

Verify:
HTTP-SERVER#show ip http server status
HTTP server status: Disabled
HTTP server port: 80
HTTP server active supplementary listener ports:
HTTP server authentication method: enable
HTTP server digest algorithm: md5
HTTP server access class: 10
HTTP server base path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 2
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Maximum number of requests allowed on a connection: 1
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 4143
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
HTTP-SERVER#sho ip http server connection
HTTP server current connections:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes
    192.168.1.1:4143      192.168.1.2:23074 0          0        

Access list logs:
This log is generated after https connection established from the server to itself.

*Jun 10 06:52:57.305: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.1.1 -> 0.0.0.0, 1 packet

This log is generated after https connection established from another router (client 192.168.1.2)
*Jun 10 06:54:22.992: %SEC-6-IPACCESSLOGNP: list 10 permitted 0 192.168.1.2 -> 0.0.0.0, 3 packets


Another command is to check history:
HTTP-SERVER#show ip http server history

HTTP server history:
local-ipaddress:port  remote-ipaddress:port in-bytes   out-bytes  end-time
    192.168.1.1:80        192.168.1.2:41994 14         122        06:38:11 06/10
    192.168.1.1:4143      192.168.1.2:13699 0          0          06:51:30 06/10
    192.168.1.1:4143      192.168.1.1:29427 0          0          06:52:58 06/10
    192.168.1.1:4143      192.168.1.2:12248 0          0          06:55:41 06/10

As you can see above the first line shows an old log for HTTP session even though I have disabled the HTTP on the router.


Now have a look if we try to connect HTTPS from Client using it’s loopback0 (2.2.2.2)

R2-CLIENT#telnet 192.168.1.1 4143 /source-interface loopback0
Trying 192.168.1.1, 4143 ...
% Connection refused by remote host

While if I change the source to E0/0 interface (192.168.1.2) it will succeed

R2-CLIENT#telnet 192.168.1.1 4143 /source-interface e0/0
Trying 192.168.1.1, 4143 ... Open

HTTP-SERVER#show ip access-lists
Standard IP access list 10
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 log (8 matches)
    20 deny   any (3 matches)
HTTP-SERVER#



Samer R. Saleem
- No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...