topic Re: Changing FTD SSH access-list in Network Security

Changing FTD SSH access-list

mrjelly — Wed, 13 Mar 2024 23:10:50 GMT

Hello,

Is there a way to see an FTDs ssh-access-list through the FMC and even see what's on it?

It appears that to setup an FTDs SSH access list is to use SSH access (or from the console too?)

Using the Threat Detection CLI in the FMC and selecting 'Show' then ssh-access-list give back an error saying command didn't work.

Re: Changing FTD SSH access-list

balaji.bandi — Wed, 13 Mar 2024 23:22:02 GMT

Not sure what is the case here to see what in ACL using CLI or ssh.

Unlike ASA there are many changes in FTD probably we may not understand as expected - until you like to spend more time and co-related to it.

check command reference :

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html

Re: Changing FTD SSH access-list

Rob Ingram — Thu, 14 Mar 2024 08:04:36 GMT

@mrjelly to restrict SSH access to Data interfaces you configure a Platform Settings Policy from the FMC and deploy to the FTDs. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-platform.html#task_42B3A06C70E8415E8C024AE76FE79774

If using the Management interface, you configure an SSH access list using the command configure ssh-access-list from the CLI of the FTDs.

Re: Changing FTD SSH access-list

mrjelly — Thu, 14 Mar 2024 08:42:18 GMT

Thank you, what I am stuck on is how to access the configure ssh-access-list command. If it's CLI but SSH is not setup what are the default settings for the ssh-access-list and is there any other way to access and configure this other than SSH.

I'm assuming console works but can is also be done via FMC?

Re: Changing FTD SSH access-list

balaji.bandi — Thu, 14 Mar 2024 09:25:29 GMT

FMC is prefer method always my view.

if you like to do from cli (i would not suggest) but i have given reference document how you can do (do you get chance to read ?)

Re: Changing FTD SSH access-list

Rob Ingram — Thu, 14 Mar 2024 09:28:53 GMT

@mrjelly what interfaces are you referring to? data or management?

You can only configure the SSH list for the management interface via the CLI, it's open to everyone that can route to it as default.

If you are referring to the data interface for SSH you have to control this using the Platform Settings policy.

Re: Changing FTD SSH access-list

mrjelly — Thu, 14 Mar 2024 09:53:33 GMT

Yes this is the management interface I want to configure

Re: Changing FTD SSH access-list

Rob Ingram — Thu, 14 Mar 2024 09:57:52 GMT

@mrjelly like I said - For the Management interface, to configure an SSH access list from the CLI of the FTD use the configure ssh-access-list command, reference Cisco Secure Firewall Threat Defense Command Reference

Re: Changing FTD SSH access-list

Marius Gunnerud — Thu, 14 Mar 2024 11:08:06 GMT

The FMC platform settings will only show the access-list for SSH access using data interface. For the management interface you would need to login to the CLIto see it and configure it.

show ssh-access-list

configure ssh-access-list <values>

Re: Changing FTD SSH access-list

MHM Cisco World — Thu, 14 Mar 2024 11:15:40 GMT

I will try that in my Lab and inform you the steps
""after I return home""

thanks

MHM

Re: Changing FTD SSH access-list

MHM Cisco World — Thu, 14 Mar 2024 11:45:39 GMT

FTD Management Access Restriction does not work for Management interface - Cisco Community

this link help you

MHM

Re: Changing FTD SSH access-list

mrjelly — Fri, 15 Mar 2024 14:05:09 GMT

Hello, thanks all for your responses, so the ssh-access-list is accept tcp -- anywhere anywhere state NEW tcp dpt:ssh

so I can't see any issue with that.

I can see traffic from my management box to the management interface IP on ssh being allowed, yet I am getting a timeout.

Any thoughts?

Re: Changing FTD SSH access-list

mrjelly — Fri, 15 Mar 2024 14:14:54 GMT

Ok this is solved, the Management interface IP address was not the right one. Tracing the traffic coming out of the management interface, I could see two other IP addresses which were the firepower management IP addresses.
I was obviously reading the FMC settings incorrectly.

I looked at the device interfaces then the management interface settings and got the IP address from there. It was one bit higher than that.

Thank you all for your help and apologies.

Re: Changing FTD SSH access-list

Marius Gunnerud — Fri, 15 Mar 2024 14:16:08 GMT

To exclude any issues with the mgmt interface or FTD itself, place a PC on the same subnet as the mgmt interface and then try to SSH to it. If the SSH session is successful then we know there is an issue somewhere between the FTD and the original PC.