10.2 Securing Router Access
10.2.2 Using access lists to secure access to the IOS web interface
VTYs are not the only way to gain configuration access to a router. Many administrators manage their devices using a web browser, and Cisco routers and switches typically run web services (on port 80, by default) to permit this. Securing the VTYs will not do much good if a web surfer can access the router's web-based command interface. If your organization uses the IOS web interface, be sure to apply an access list to it as well. The following commands provide an example for web server configuration:

RTA(config)#access-list 17 permit 202.206.100.0 0.0.0.255
RTA(config)#ip http server
RTA(config)#ip http access-class 17

When applying an access class to an IOS HTTP server, the in keyword is not used. Because this service can accept only incoming connections, the access list cannot be applied to outbound traffic.

In the above example, the ip http server command enables web-based configuration, while the ip http access-class 17 command restricts the web interface to source IP addresses matching access list 17.