Hi,
This is a case of a failure to log in to the WEB NMS page.
Problem Description
The web management page of the AR1220E-S cannot be logged in to from the public network but can be logged in to from the intranet.
Key configurations:
#
pki realm default
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
#
acl number 2999
rule 5 permit
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme default
domain default_admin
authentication-scheme default
local-user admin password irreversible-cipher xxxxxx
local-user admin privilege level 15
local-user admin service-type telnet terminal http
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/8
ip address 171.XX.XX.189 255.255.255.128
nat outbound 2999
#
interface GigabitEthernet0/0/9
ip address 192.168.1.1 255.255.255.0
#
http server port 80
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
http server permit interface GigabitEthernet0/0/9
#
ip route-static 0.0.0.0 0.0.0.0 171.XX.XX.129
#
Handling Process
1. Check the configuration, only the interface G0/0/9 is allowed to log in to the web system. As a result, other interfaces cannot log in to the web system.
#
http server port 80
http secure-server ssl-policy default_policy
http server enable
http secure-server enable
http server permit interface GigabitEthernet0/0/9
#
Delete the configuration so that all physical interfaces on the device can access the WEB NMS.
<Huawei> system-view
[Huawei] undo http server permit interface
2. After the modification, the fault persists. By default, HTTP port 80 or HTTPS port 443 is used for web login. Capture packets on the G0/0/8, when the two ports are used for login on the public network terminal, no traffic is found on TCP ports 80 and 443. It is suspected that the carrier side restricts access to TCP ports 80 and 443. Change the HTTP server port number to 9080 and the HTTPS server port number to 9443 with the following command:
[Huawei] http server port 9080
[Huawei] http secure-server port 9443
After the modification, the web management page can be logged in by entering http://171.XX.XX.189:9080 or https://171.XX.XX.189:9443 on the public network terminal.
Root Cause
In the router configuration, only the interface G0/0/9 is allowed to log in to the web NMS, and the carrier side restricts the access of TCP ports 80 and 443.
Solution
Allow all physical interfaces on the device to access the web NMS and change the ports used by the HTTP and HTTPS services on the device.
