topic Re: ASA CLI - trouble with Conft in Network Security

ASA CLI - trouble with Conft

RowC — Fri, 21 Feb 2020 14:32:54 GMT

Hi Guys,

Feeling rather noobish on this one.

i`m having trouble finding the Conf t, the device is ASA 2110

I`ve tried connecting to FTD & Local Mgmt and i can see the config - but i cant edit it

geg01#
acknowledge Acknowledge
backup Backup
clear Clear managed objects
commit-buffer Commit transaction buffer
connect Connect to Another CLI
discard-buffer Discard transaction buffer
end Go to exec mode
exit Exit from command interpreter
scope Changes the current mode
set Set property values
show Show system information
terminal Set terminal line parameters
top Go to the top mode
up Go up one mode
where Show information about the current mode

geg01# connect
ftd Connect to FTD Application CLI
local-mgmt Connect to Local Management CLI

Re: ASA CLI - trouble with Conft

Marvin Rhoads — Sat, 21 Oct 2017 04:19:12 GMT

It appears you are logging into a Firepower 2110 running FTD image. You cannot modify FTD configuration (apart from the minimal setup of the network) from the cli.

You need to use either the on-box Firepower Device Manager or a remote Firepower Management Center. In either case you connect to the management interface you have assigned (via Firepower Chassis Manager) to the FTD logical device - not to the chassis management interface.

Re: ASA CLI - trouble with Conft

RowC — Sat, 21 Oct 2017 04:53:10 GMT

Thanks Marvin !

I`m trying to set up Ipsec tunnels from a dynamic IP address to the static ip of the ASA, The on-box Firepower Device Manager seems limited, You mentioned the Firepower running the FTD image - would running a different Image provide greater flexibility ?

Re: ASA CLI - trouble with Conft

Marvin Rhoads — Sat, 21 Oct 2017 13:58:05 GMT

I've not had to do it "in the wild" yet but it should be possible according to the FMC and FTD site-to-site VPN documentation.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/firepower_threat_defense_site_to_site_vpns.html#reference_nwy_fhl_wy

However I just tried it in my lab and was unable to get it to work there as well (running the latest FMC and FTD 6.2.2).

I've asked among my peers in the partner community to see if it's one of those bits that's not quite working yet.

Regarding ASA vs. FTD image type if you go with ASA you would lose all of the ability to to NGIPS (Snort etc. ) inspections and management would be via the old style ASA cli or ADSM GUI. That's a pretty major change to the appliance and not one to be undertaken lightly. The option is there though should you decide FTD is not cutting it for you at this time.

Re: ASA CLI - trouble with Conft

RowC — Mon, 23 Oct 2017 02:23:17 GMT

Hi Marvin,

What be a acceptable method of connecting from a dynamic IP address to the cisco 2110 then ?

I was thinking i could find an any connect client to run on the IOS - i think i might have been dreaming..

Chris

Re: ASA CLI - trouble with Conft

Marvin Rhoads — Mon, 23 Oct 2017 02:59:58 GMT

I haven't received official word from Cisco engineering, but I am beginning to think it may not be a feature that is currently implemented. Two other engineers (not Cisco employees) have told me that.

I suggest you open a TAC case for confirmation.