topic Re: Unable to SSH Management Interface Cisco 1120 in Network Security

Unable to SSH Management Interface Cisco 1120

kleemisch — Wed, 24 Jul 2024 13:34:39 GMT

Can someone let me know where the settings are located to ssh into the management interface? I can SSH from my desktop (10.250.3.x subnet) but can't from the server subnet.

Re: Unable to SSH Management Interface Cisco 1120

Sheraz.Salim — Wed, 24 Jul 2024 13:49:08 GMT

it seems you're having trouble accessing the management interface of your Cisco FPR-1120 firewall via SSH from a specific subnet. Here are some suggestions to troubleshoot to resolve this issue:

Check SSH access list
Connect to the firewall's CLI via console or from a working SSH connection. Run the command show ssh-access-list to view the current SSH access configuration,Ensure that the server subnet is included in the access list. also are this server in a different subnet if you in that case you have to allow (define access-list in order to connect ssh to server) in ASA command is like this (ssh 10.60.0.0 255.255.0.0 inside)

Verify user accounts:
Use the command show user to check the configured user accounts Make sure the account you're using has the necessary privileges for SSH access. Review platform settings in FMC: If you're managing the device through Firepower Management Center (FMC), check the platform settings for SSH configuration

Ensure that SSH is enabled for the management interface and the correct IP ranges are allowed.

Check routing:
Verify that there's a valid route from the server subnet to the management interface. You may need to add a static route using the configure network static-routes command if it's not already in place

Firewall rules:
Although SSH access doesn't typically require an explicit access rule, double-check that there are no firewall rules blocking SSH traffic from the server subnet to the management interface.

Interface configuration:
Confirm that the management interface is properly configured with the correct IP address and subnet mask. Use the show interface command to verify the interface status and configuration.
SSH version and ciphers: Ensure that the SSH client on the server is compatible with the firewall's SSH configuration.
The firewall supports specific encryption, integrity, and key exchange methods
.
Network connectivity:
Try pinging the management interface from the server to ensure basic network connectivity.
Diagnostic interface vs. Management interface:
Be aware that the diagnostic interface and management interface are different. SSH access via the diagnostic interface is not supported from FTD 6.1 onwards

Re: Unable to SSH Management Interface Cisco 1120

Blue_Bird — Wed, 24 Jul 2024 13:54:15 GMT

Hello kleemisch,

Please go through the following link under step 3, you can find ssh settings:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

Best regards
******* If This Helps, Please Rate *******

Re: Unable to SSH Management Interface Cisco 1120

Rob Ingram — Wed, 24 Jul 2024 13:56:21 GMT

@kleemisch if using FTD image you use the command "configure ssh-access-list" from the CLI to restrict/permit access to SSH to the management interface.

Re: Unable to SSH Management Interface Cisco 1120

MHM Cisco World — Wed, 24 Jul 2024 13:56:59 GMT

The GW if you not config it for mgmt interface then it can not reply to any subnet outside it subnet'

This GW can be FW itself or any l3 device

MHM

Re: Unable to SSH Management Interface Cisco 1120

kleemisch — Wed, 24 Jul 2024 14:04:24 GMT

Thank you, that is my issue - I have an access list only allowing certain computers; found this by doing the ssh-access-list command. What is the command to add another computer?

Re: Unable to SSH Management Interface Cisco 1120

Sheraz.Salim — Wed, 24 Jul 2024 14:13:47 GMT

Check this link will put you in right direction to fix the issue

https://community.cisco.com/t5/network-security/ftd-management-access-restriction-does-not-work-for-management/td-p/3781668