Got it
Huawei Enterprise Support Community
Community Forums WLAN
AC6508 http server-source...

AC6508 http server-source command not recognized

Created: Jan 26, 2021 04:31:26Latest reply: Jan 27, 2021 06:33:26 477 10 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

My device is AC6508, firmware version: V200R010C00SPC700


The problem I got is, I could not access my AC6508 from public with https after I created a NAT rule to forward port on upper device(USG6005). I suspect it is because the "server-source" on http has not been specified, but whether I run

[HUAWEI] http secure-server server-source -i xxx

or

[HUAWEI] http server-source -i xxx

It shows the server-source command is not recogized. Could any one help me with this, or have other solution about my problem?

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Request for B312-939 Full Admin Access
Next: How Do i block Other Client Connect to STA2 Hotspot ?
Featured Answers

Best answer

(0) (0)
chenhui
Admin Created Jan 27, 2021 06:31:01

Posted by Oscar123 at 2021-01-27 06:10 This is what I create:AC6005 is the controller ip, 10.20.0.2

From the NAT configuration, there might be two problems.

  1. You don't select destination port translation, which means while the internet user accesses the port TCP 21443(I think the port value is TCP 21443), the packet will be forwarded to the AC with the same port, TCP 21443, I'm not sure if you assign the HTTPS server port to TCP 21443 on the AC, if not, the AC will drop the packet. I suggest you enable the destination port translation and set the value to TCP 443 if you don't assign the HTTPS server port on the AC.


    port translation

  2. You configure the address to address destination NAT, not the bidirectional NAT. As I said previously, there are no backward routes on the AC. To resolve this problem, you have two choices. The first one, the simplest way, configure a default route on the AC to guide the traffic back to the firewall. The second one, modify the NAT policy to a bidirectional policy, translating the source addresses, the accessing internet users, to private addresses, 10.20.0.x. 

    Please be noticed, the first one is simple to implement, but you should be careful about the potential network loop. The second way is complicated to implement, but it's suggested.

View more
  • x
  • convention:

Oscar123
Oscar123 Created Jan 27, 2021 06:46:56 (0) (0)
Thanks chenhui, you definitely save my day. For the first question, I did change the port into 21433. And I just configured a bidirectional NAT like you said, problem solved.  
chenhui
chenhui Reply Oscar123  Created Jan 27, 2021 06:49:46 (0) (0)
You are welcome! :D  
All Answers
(0) (0)
2#
chenhui
chenhui Admin Created Jan 26, 2021 04:33:55

Hi,
What is the NAT rule configuration on the firewall? When specifying the source address, is this address accessible from the internet?
View more
  • x
  • convention:

Oscar123
Oscar123 Created Jan 26, 2021 05:48:47 (0) (0)
I didn't specify source address, as I'll need to access on different location. One reason I know it is probably not the rule's fault is, I also set a same rule to forward port to other device without problem.  
(2) (0)
3#
chenhui
chenhui Admin Created Jan 26, 2021 06:00:07

Oscar123,
OK, if the NAT policy is OK, then I would suggest you checking the routing table on the AC if there is a backward route.
BTW, the device supports specifying the server source address only when enabling the HTTPS service.
View more
  • x
  • convention:
(0) (0)
4#
Oscar123
Oscar123 Created Jan 27, 2021 04:31:19

Hi Chenhui,

Thanks for your quick response.
When I check http info, it shows:
HTTPS SSL Policy : default_policy
Web package : web.7z (default)
HTTP server permit interface :
Is it normal that the " HTTP server permit interface " show no value?

Not sure how to check for a backward route, could you help me for that?
Here is the route table:
Destination/Mask Proto Pre Cost Flags NextHop Interface

10.20.0.0/22 Direct 0 0 D 10.20.0.2 Vlanif1
10.20.0.2/32 Direct 0 0 D 127.0.0.1 Vlanif1
10.20.3.255/32 Direct 0 0 D 127.0.0.1 Vlanif1
10.20.148.0/22 Direct 0 0 D 10.20.148.1 Vlanif10
10.20.148.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.20.151.255/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
169.254.3.0/24 Direct 0 0 D 169.254.3.1 Ethernet0/0/47
169.254.3.1/32 Direct 0 0 D 127.0.0.1 Ethernet0/0/47
169.254.3.255/32 Direct 0 0 D 127.0.0.1 Ethernet0/0/47
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
View more
  • x
  • convention:
(0) (0)
5#
chenhui
chenhui Admin Created Jan 27, 2021 05:47:30

Posted by Oscar123 at 2021-01-27 04:31 Hi Chenhui,Thanks for your quick response. When I check http info, it shows: HTTPS SSL Policy ...
Hi,
It's OK that the HTTP server permit interface shows no value, cause you don't configure the 'http secure-server server-source'.
From the routing table on your device, there are no backward routes if you configure only the destination NAT or nat server on the firewall.
Please confirm which NAT type do you configure on the firewall. Destination NAT, nat server, or bidirectional NAT?
View more
  • x
  • convention:
(0) (0)
6#
Oscar123
Oscar123 Created Jan 27, 2021 06:10:31

This is what I create:


AC6005 is the controller ip, 10.20.0.2

001


002


View more
  • x
  • convention:
(0) (0)
7#
chenhui
chenhui Admin Created Jan 27, 2021 06:31:01

Posted by Oscar123 at 2021-01-27 06:10 This is what I create:AC6005 is the controller ip, 10.20.0.2

From the NAT configuration, there might be two problems.

  1. You don't select destination port translation, which means while the internet user accesses the port TCP 21443(I think the port value is TCP 21443), the packet will be forwarded to the AC with the same port, TCP 21443, I'm not sure if you assign the HTTPS server port to TCP 21443 on the AC, if not, the AC will drop the packet. I suggest you enable the destination port translation and set the value to TCP 443 if you don't assign the HTTPS server port on the AC.


    port translation

  2. You configure the address to address destination NAT, not the bidirectional NAT. As I said previously, there are no backward routes on the AC. To resolve this problem, you have two choices. The first one, the simplest way, configure a default route on the AC to guide the traffic back to the firewall. The second one, modify the NAT policy to a bidirectional policy, translating the source addresses, the accessing internet users, to private addresses, 10.20.0.x. 

    Please be noticed, the first one is simple to implement, but you should be careful about the potential network loop. The second way is complicated to implement, but it's suggested.

View more
  • x
  • convention:

Oscar123
Oscar123 Created Jan 27, 2021 06:46:56 (0) (0)
Thanks chenhui, you definitely save my day. For the first question, I did change the port into 21433. And I just configured a bidirectional NAT like you said, problem solved.  
chenhui
chenhui Reply Oscar123  Created Jan 27, 2021 06:49:46 (0) (0)
You are welcome! :D  
(0) (0)
8#
chenhui
chenhui Admin Created Jan 27, 2021 06:33:26

BTW, while you provide your logs, configuration, and devices' information, please erase the private information, such as public IP addresses, port numbers due to network security.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.