SecurityGlobal Config

http server enable

Enables the HTTP server on the Cisco ASA to allow HTTPS access for ASDM management.

Overview

The 'http server enable' command activates the HTTP/HTTPS server on the Cisco ASA firewall, allowing web-based management via Adaptive Security Device Manager (ASDM) or other HTTPS clients. This command is essential for administrators who prefer a graphical interface over the command-line interface (CLI). The HTTP server listens on TCP port 443 by default, but can be configured to use a custom port. Once enabled, the ASA will accept HTTPS connections from hosts permitted by the 'http access-list' command. The server supports SSL/TLS encryption for secure communication. In troubleshooting workflows, verifying that the HTTP server is enabled is the first step when ASDM connectivity fails. The command is straightforward but must be paired with proper access control and authentication settings to ensure security. Platform-specific behavior: On ASA, the HTTP server is distinct from the Telnet/SSH servers and does not affect other management protocols. It is supported in all software versions, but some older versions may require additional licensing for ASDM access.

Syntax·Global Config
http server enable [port port_number]

When to Use This Command

  • Enable ASDM access for remote management of the ASA.
  • Allow HTTPS-based GUI management for less experienced administrators.
  • Provide secure web-based monitoring and configuration capabilities.
  • Enable integration with Cisco Security Manager or other management tools.

Parameters

ParameterSyntaxDescription
portport_numberSpecifies the TCP port for the HTTP server. If omitted, defaults to 443. Must be between 1024 and 65535 or use well-known ports (e.g., 80) but avoid conflicts.

Command Examples

Enable HTTP server on default port

http server enable
ciscoasa(config)# http server enable
ciscoasa(config)#

The command enables the HTTP server on the default port 443. No output indicates success.

Enable HTTP server on a custom port

http server enable 8443
ciscoasa(config)# http server enable 8443
ciscoasa(config)#

Enables the HTTP server on TCP port 8443 instead of the default 443. Useful if port 443 is blocked.

Understanding the Output

The command 'http server enable' does not produce verbose output; a successful execution returns to the prompt without error messages. To verify the HTTP server status, use 'show running-config | include http server' or 'show asp table socket | include SSL'. A healthy state shows the server enabled with the configured port. If the server is disabled, the command output will show 'no http server enable'. If the server fails to start, check for conflicting services or license restrictions.

Configuration Scenarios

Basic ASDM Access Setup

A network administrator wants to manage an ASA from a management workstation at 192.168.1.100.

Topology

[Management PC]---(192.168.1.0/24)---[ASA (inside: 192.168.1.1)]

Steps

  1. 1.Enable HTTP server on default port.
  2. 2.Configure an access list to permit the management host.
  3. 3.Apply the access list to the HTTP server.
Configuration
! Enable HTTP server
http server enable
! Permit management host
access-list MGMT_HTTP extended permit tcp host 192.168.1.100 any eq https
! Apply access list to HTTP server
http access-list MGMT_HTTP

Verify: From the management PC, open a browser to https://192.168.1.1 and verify ASDM login page appears.

Watch out: If the management host is on a different interface, ensure the 'http' command includes the interface name (e.g., 'http 192.168.1.0 255.255.255.0 inside').

Custom Port for HTTP Server

Port 443 is blocked by an upstream firewall; the admin uses port 8443 instead.

Topology

[Management PC]---(Internet)---[ASA (outside: 203.0.113.1)]

Steps

  1. 1.Enable HTTP server on port 8443.
  2. 2.Configure ACL to permit management host from outside.
  3. 3.Apply ACL to HTTP server on outside interface.
Configuration
! Enable HTTP server on port 8443
http server enable 8443
! Permit management host
access-list OUTSIDE_MGMT extended permit tcp host 198.51.100.50 any eq 8443
! Apply ACL to HTTP server on outside interface
http access-list OUTSIDE_MGMT outside

Verify: From the management host, browse to https://203.0.113.1:8443 and confirm ASDM loads.

Watch out: Remember to include the port number in the URL; also ensure NAT or routing allows return traffic.

Troubleshooting with This Command

When ASDM cannot connect to the ASA, first verify the HTTP server is enabled with 'show running-config | include http server'. If not present, enable it. Next, check the HTTP access list with 'show access-list' to ensure the management host is permitted. Use 'show asp table socket | include SSL' to confirm the ASA is listening on the expected port. If the socket shows 'LISTEN', the server is running. If not, check for conflicting services (e.g., another process using the same port). Also verify that the management interface has an IP address and is up. If using HTTPS, ensure SSL/TLS settings are compatible with the browser (e.g., 'ssl server-version tlsv1.2'). For connectivity issues, use packet tracer or capture to see if packets are being dropped. Common errors include 'connection refused' (server not enabled or wrong port) or 'timeout' (ACL blocking). Finally, check the ASA logs with 'show log' for HTTP-related messages.

CCNA Exam Tips

1.

Remember that 'http server enable' is required for ASDM access; without it, HTTPS connections are refused.

2.

The default port is 443; you can change it with the port parameter, but ensure ACLs allow the custom port.

3.

On ASA, the HTTP server is separate from the HTTPS server for management; both may need to be enabled.

Common Mistakes

Forgetting to configure 'http access-list' to permit management hosts, resulting in connection timeouts.

Enabling the HTTP server without also enabling HTTPS (via 'ssl server-version' or similar) if using HTTPS.

Using a port number that conflicts with other services (e.g., 80 for HTTP) without proper ACLs.

Platform Notes

On Cisco ASA, the 'http server enable' command is specific to the ASA platform and differs from IOS where 'ip http server' is used. The ASA HTTP server is tightly integrated with ASDM and supports only HTTPS (not plain HTTP) for security. In contrast, IOS devices may support both HTTP and HTTPS. On ASA, the HTTP server is disabled by default and must be explicitly enabled. There is no equivalent command on NX-OS or IOS-XE; those platforms use 'ip http server' or 'ip http secure-server'. Version differences: ASA 8.0 and later support this command; earlier versions may require a different syntax. The command is available in both single and multiple context modes, but in multiple context mode, it must be configured in the system context.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions