topic Firepower 2130 OOB ASDM and SSH management. in Network Security

Firepower 2130 OOB ASDM and SSH management.

RonLeet504990 — Tue, 03 Nov 2020 11:53:35 GMT

Good Morning,

I have been working with testing a remote connection for a network expansion we have coming up, and have been unsuccessful in figuring out how to access the new Firepower 2130 via ASDM through an outside network connection in order to maintain and manage the device remotely across our campus LAN transport.

I have tested all the older model ASA configurations to allow access to ASDM and SSH via the outside port, but have had no luck with the new Firepower 2130 at this time. So far I am only able to access management on the device from a directly connected switch, or desktop configuration. At this point I am thinking I may have a technician configure their end of the connection with a VM internal system that I can connect to, and then connect into the FP ASDM management that way.

I am open to any suggestions anyone may have however, so that I may keep this managed from outside the internal connection that the Firepower provides security for as I feel going around behind it would just create a security issue that I do not want to have on our network.

Thank you all in advance for any advice and assistance.

Respectfully,

Ron Leet

Re: Firepower 2130 OOB ASDM and SSH management.

Marius Gunnerud — Tue, 03 Nov 2020 12:20:41 GMT

Just for clarity, you have ASA software installed on the FTD2130?

Could you post the configuration you are trying to implement (remember to remove any public IPs, usernames, and passwords)?

Are you trying to connect directly to the outside/internet facing interface or over å RA-VPN?

Usually to get this working directly to the outside interface you would need to do the following.

For ASDM:

http server enable 4433 !(or any other port you want to connect to. leave blank to use port 443)

http 1.1.1.1 255.255.255.255 outside

asdm image <image_name>

For SSH:

make sure SSH is enabled ( it should be enabled by default) show ssh

crypto key generate rsa modulus 2048 !(optional if SSH is already enabled)

ssh 1.1.1.1 255.255.255.255 outside

Re: Firepower 2130 OOB ASDM and SSH management.

RonLeet504990 — Mon, 16 Nov 2020 14:35:39 GMT

Good Morning Marius,

I apologize for the delayed response, this account is tagged to my work email, and I was unable to make it into the office for the past ten days. I do want to per-emptively thank you for any assistance you are able to offer and thank you for what you have currently offered already.

For clarification purposes:

Yes we have ASA software and ASDM installed on our FP2130s.

As for configurations, these are currently in a testing lab based environment, and are air-gapped systems, I will have to manually transcribe them to the open internet in order to share, but I will work on that for better insight and assistance.

In response to your current suggestions, I have actually performed both of these configurations in different fashions here and there through multiple tests, and have not been able to get ASDM to open at all from the outside switch/laptop setup. As for SSH, I was able to get this to actually function ONCE at some point in testing and have not been able to get SSH to work ever since, this is because we currently do not have our 3DES license configured on our systems, as they are currently listed as smart license products, and we need on-prem ones, Cisco is currently working with me to get that resolved, other than that I cannot get any SSH instances to work, but can get Telnet (all from the inside port btw).

A quick glimpse as to how my ports are configured on the ASA FP2130, and C9300 however, they are like this.

ASA:

interface Ethernet1/1

nameif outside

security-level 0

ip address x.x.x.195 255.255.255.192

interface Ethernet1/2.10

vlan10

nameif inside

security-level 100

ip address x.x.x.1 255.255.255.128

interface Management1/1.32

management-only

vlan 32

nameif management

security-level 100

ip address x.x.x.129 255.255.255.224

(inside 9300 configuration setup for trunk ports to management and inside interfaces to test inside settings, which now I can't even get ASDM to open I was able to before I was stuck at home for the past ten days.)

Outside C9300

interface Vlan530

ip address x.x.x.194 255.255.255.192

vlan 530

name Ext-Site

interface GigabitEthernet1/0/47

description External-FP2130

switchport access vlan 530

switchport mode access

Re: Firepower 2130 OOB ASDM and SSH management.

Marius Gunnerud — Mon, 16 Nov 2020 15:07:27 GMT

Could you post the output of show run ssh, show run http, show run asdm, dir, and show ssh

as well as the configuration of the switch port that connects to the management interface. Are you sure that this isn't a routing issue? When you are testing are you on the same subnet as the ASA interface you are connecting to?