Courseiva
Network ServicesCCNA 200-301

HTTP Server on Router Not Accessible — Firewall or ACL Blocking

Presenting Symptom

A user cannot access the HTTP server running on a Cisco router from a remote host, receiving a connection timeout or refused error.

Network Context

A small branch office with a Cisco 4321 router running IOS-XE 16.9. The router is configured as an HTTP server for remote management and hosts a web application on TCP port 80. The remote host is on a different subnet connected via a WAN link. The router has an ACL applied to the WAN interface and a firewall feature set enabled.

Diagnostic Steps

1

Verify HTTP server is enabled on the router

show ip http server status
HTTP server enabled
HTTP server port: 80
HTTP server active: True

If the server is disabled, the problem is local. If enabled, proceed to check connectivity and ACLs.

2

Check if the remote host can reach the router's IP

ping <router-WAN-IP> from remote host
Success rate is 100 percent (5/5)

If ping fails, there is a basic IP connectivity issue (routing, WAN link). If ping succeeds, the problem is likely at the transport or application layer.

3

Inspect ACL applied to the WAN interface

show access-lists
Extended IP access list WAN_IN
    10 permit tcp any host <router-WAN-IP> eq 80
    20 deny ip any any log

Look for a permit statement for HTTP (port 80) from the remote host's subnet. If missing, the ACL is blocking traffic. Also check if the ACL is applied inbound on the WAN interface.

4

Check if the ACL is applied to the correct interface and direction

show running-config interface <WAN-interface>
interface GigabitEthernet0/0/0
 ip access-group WAN_IN in

Confirm the ACL is applied inbound. If applied outbound, it won't filter incoming HTTP requests. Also verify no other ACLs or firewall rules are blocking.

5

Test HTTP access from the router itself

telnet <router-WAN-IP> 80 from router console
Trying <router-WAN-IP>, 80 ... Open

If telnet from the router succeeds, the HTTP server is working locally. If it fails, the server is not listening or there is a local firewall (e.g., ip inspect).

6

Check for Zone-Based Firewall or other firewall features

show zone-pair security
Zone-pair: self to WAN
   Service-policy inspect: HTTP-POLICY

If a firewall policy is applied, it may be dropping HTTP traffic. Check the policy for inspect rules or deny statements.

Root Cause

The WAN interface has an inbound ACL that denies HTTP traffic from the remote host's subnet. Specifically, the ACL only permits HTTP from a specific host, not the entire subnet, or the permit statement is missing entirely.

Resolution

Modify the ACL to permit HTTP traffic from the remote host's subnet. For example: conf t ip access-list extended WAN_IN no permit tcp any host <router-WAN-IP> eq 80 permit tcp <remote-subnet> <wildcard> host <router-WAN-IP> eq 80 end If the ACL was missing, add the permit statement. Ensure the ACL is applied inbound on the WAN interface.

Verification

From the remote host, attempt to access http://<router-WAN-IP>. The web page should load. Also run: show access-lists Expected output: The permit line should show a match count incrementing. show ip http server status Confirm server is still enabled.

Prevention

1. Use a standard ACL template for management access that includes HTTP/HTTPS from trusted subnets only. 2. Implement role-based access control and log ACL matches for troubleshooting. 3. Regularly review ACL configurations and use tools like 'show access-list' to verify traffic matches.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of ACLs and their application to filter traffic. Questions may present a troubleshooting scenario where HTTP access fails, and you must identify the missing or incorrect ACL entry. The exam expects you to know how to read ACL output and apply the correct permit statement.

Exam Tips

1.

Remember that ACLs are processed top-down; the first match is applied. Ensure permit statements come before deny statements.

2.

The exam often tests the difference between standard and extended ACLs. For HTTP, you need an extended ACL specifying source, destination, and port.

3.

Know that 'show access-lists' displays match counts; a zero count on a permit line indicates traffic is not matching that rule.

Commands Used in This Scenario

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show ip http server status

Displays the operational status and configuration of the HTTP server (web server) on the Cisco IOS device, used to verify if the web-based GUI or REST API is enabled and accessible.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions