http [source] [mask] [intf]
Configures HTTP access to the ASA for management via ASDM or browser, restricting access to specific source IPs or subnets on a given interface.
Overview
The http command on Cisco ASA Firewall is used to define which source IP addresses or subnets are allowed to access the ASA's HTTP/HTTPS management interface. This is essential for using ASDM (Adaptive Security Device Manager) or any web-based management tool. Without at least one http command, the ASA will not respond to HTTP or HTTPS requests from any host. The command works in conjunction with the 'http server enable' or 'http enable' command (depending on ASA version) which activates the HTTP/HTTPS server on the device.
The concept behind this command is access control for management traffic. Unlike SSH or Telnet, which are configured separately, HTTP access is explicitly permitted by source IP. The mask parameter uses a wildcard mask (inverse mask) where 0 means 'must match' and 255 means 'ignore'. For example, 255.255.255.255 means all bits must match (single host), while 0.0.0.255 means the last octet can be anything (subnet).
When to use this command: whenever you plan to manage the ASA via ASDM or a web browser. It is typically configured on the inside or management interface. For security, it is best to restrict access to specific management hosts or subnets. Avoid using 0.0.0.0 0.0.0.0 which allows any source.
Platform-specific behavior: On Cisco ASA, the http command is part of the global configuration and does not require an ACL. The ASA checks the source IP of incoming HTTP/HTTPS packets against the configured http entries. If no match is found, the connection is dropped. This is different from IOS where HTTP access is controlled by ip http access-class.
In troubleshooting workflows, if ASDM cannot connect, first verify that 'http server enable' is configured, then check 'show running-config http' to ensure the management host's IP is permitted. Also check interface ACLs that might block the traffic.
http <source_ip> <mask> <interface_name>When to Use This Command
- Allow ASDM access from a specific management workstation IP on the inside interface.
- Restrict HTTP access to a subnet of trusted administrators on the management interface.
- Enable HTTP access from a VPN pool subnet for remote management.
- Block all HTTP access by not configuring any http command.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| source_ip | A.B.C.D | The source IP address or network to be permitted. This is the IP address of the management host or the network address of the subnet. |
| mask | A.B.C.D (wildcard mask) | The wildcard mask that determines which bits of the source IP must match. For a single host, use 255.255.255.255. For a subnet, use the inverse of the subnet mask (e.g., 0.0.0.255 for /24). |
| interface_name | string | The name of the ASA interface on which HTTP access is allowed. This must be a configured interface name (e.g., inside, outside, management). |
Command Examples
Allow ASDM from a single host on inside interface
http 192.168.1.100 255.255.255.255 insideThis command permits HTTP/HTTPS access to the ASA from host 192.168.1.100 on the inside interface. The mask 255.255.255.255 specifies a single host.
Allow HTTP access from a subnet on management interface
http 10.10.10.0 255.255.255.0 managementThis command permits HTTP/HTTPS access from the entire 10.10.10.0/24 subnet on the management interface. Useful for allowing multiple admins.
Remove an HTTP access rule
no http 192.168.1.100 255.255.255.255 insideThis removes the previously configured HTTP access entry. After removal, the host 192.168.1.100 can no longer access the ASA via HTTP/HTTPS on the inside interface.
Understanding the Output
The http command itself does not produce output when entered. To verify configured HTTP access rules, use 'show running-config http' or 'show http'. The output of 'show running-config http' lists each http command line. For example: http 192.168.1.100 255.255.255.255 inside http 10.10.10.0 255.255.255.0 management Each line represents a permitted source. If no lines appear, HTTP access is not configured. Healthy configuration shows only the necessary entries; problem values include overly permissive entries like 'http 0.0.0.0 0.0.0.0 inside' which allows all sources.
Configuration Scenarios
Basic ASDM Access from Management Subnet
A network administrator wants to manage the ASA from a dedicated management subnet 192.168.10.0/24 on the inside interface.
Topology
Management Host (192.168.10.50) --- Switch --- ASA (inside: 192.168.10.1)Steps
- 1.Enable the HTTP server: http server enable
- 2.Allow the management subnet: http 192.168.10.0 0.0.0.255 inside
! http server enable http 192.168.10.0 0.0.0.255 inside !
Verify: Use 'show running-config http' to confirm the entry. From a management host, open a browser to https://192.168.10.1 and verify ASDM login page appears.
Watch out: Ensure the management host has a route to the ASA inside interface. Also, if the ASA has an ACL on the inside interface, it must permit HTTPS (TCP 443) from the management subnet.
Allow Multiple Specific Hosts
Two specific administrators need access from different IPs on the outside interface for remote management.
Topology
Admin1 (203.0.113.5) --- Internet --- ASA (outside: 198.51.100.1)
Admin2 (203.0.113.10) --- Internet --- ASASteps
- 1.Enable HTTP server: http server enable
- 2.Allow Admin1: http 203.0.113.5 255.255.255.255 outside
- 3.Allow Admin2: http 203.0.113.10 255.255.255.255 outside
! http server enable http 203.0.113.5 255.255.255.255 outside http 203.0.113.10 255.255.255.255 outside !
Verify: Check 'show running-config http' for two entries. Test connectivity from each admin host.
Watch out: Exposing ASDM on the outside interface is risky. Use VPN or SSH instead. If necessary, also configure an ACL to limit access and enable logging.
Troubleshooting with This Command
When troubleshooting HTTP access to the ASA, follow these steps:
1. Verify the HTTP server is enabled: 'show running-config | include http server'. If not, configure 'http server enable'. 2. Check configured http entries: 'show running-config http'. Ensure the management host's IP is covered by an entry. If not, add the appropriate http command. 3. Verify interface status: 'show interface ip brief' to confirm the interface is up and has an IP address. 4. Check for ACLs blocking traffic: 'show access-list' and examine any ACL applied to the interface. The ACL must permit TCP port 443 (HTTPS) from the management host to the ASA interface IP. 5. Test connectivity from the management host: Use telnet or nmap to check if TCP port 443 is open on the ASA interface IP. For example: 'telnet <ASA_IP> 443' should show a blank screen or connection refused if not open. 6. Check routing: Ensure the management host can reach the ASA interface IP. Use ping from the host to the ASA. 7. If using ASDM, ensure the correct version of Java is installed and that the browser supports ASDM. 8. Check ASA logs: 'show log' or 'debug http 255' (caution: high debug) to see if the ASA is receiving and processing HTTP requests.
Common issues: Forgetting to enable the HTTP server, using wrong wildcard mask, or having an ACL that denies the traffic. Also, if the ASA is in multi-context mode, HTTP access must be configured in each context.
CCNA Exam Tips
Remember that the http command is required for ASDM access; without it, ASDM cannot connect.
The mask is a wildcard mask, not a subnet mask. For a single host, use 255.255.255.255.
You can configure multiple http entries for different sources/interfaces.
Common Mistakes
Using a subnet mask instead of a wildcard mask (e.g., 255.255.255.0 instead of 0.0.0.255). This will cause the command to be rejected or behave unexpectedly.
Forgetting to enable HTTPS server with 'http server enable' or 'http enable' (depending on version).
Configuring http on an interface that is not reachable from the management host due to routing or ACLs.
Platform Notes
On Cisco ASA, the http command is used specifically for ASDM and web management. In contrast, on Cisco IOS routers, HTTP access is controlled by 'ip http access-class' and 'ip http server'. The ASA does not use the 'ip http' commands. Also, on ASA version 9.x and later, the 'http server enable' command is required; older versions used 'http enable'. The command syntax is consistent across ASA models (5510, 5520, etc.). For FTD (Firepower Threat Defense), management is done via FMC, and the http command is not used. On ASA with FirePOWER module, the http command still applies for the ASA portion. There is no direct equivalent on other platforms like Palo Alto or Check Point; each has its own management access configuration.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions