取消
显示结果 
搜索替代 
您的意思是: 
cancel
6028
查看次数
5
有帮助
29
回复

ftd 如何在ctl 添加静态路由 并且配置配置优先级

heartdrunk
Level 1
Level 1

我的ftd 无法连接到fmc 因为路由原因,现在需要添加静态路由 并且配置优先级高于ospf

29 条回复29

configure network static-routes

To add or remove static routes, use the configure network static-routes command.

configure network static-routes { ipv4 | ipv6} { add interface destination netmask_or_prefix gateway | delete}

Syntax Description

 

add

Adds a static route for the management interface.

delete

Removes a static route for the management interface. You are prompted to choose which route to delete.

interface

The ID of the management interface. Use the show network command to view the Management interface ID for your model.

ipv4

Adds or deletes a static route for the IPv4 management address.

ipv6

Adds or deletes a static route for the IPv6 management address.

destination

The destination IP address to add or remove, in IPv4 or IPv6 format as appropriate. For example, 10.100.10.10 or 2001:db8::201.

netmask_or_prefix

The network address mask for IPv4, or prefix for IPv6. The IPv4 netmask must be in dotted decimal format, for example, 255.255.255.0. The IPv6 prefix is a standard prefix number, such as 96.

gateway

The gateway address to add or remove, in IPv4 or IPv6 format as appropriate.

Command History

 ReleaseModification

6.0.1

This command was introduced.

Example:

configure network static-routes ipv4 add eth0 192.168.10.0 255.255.255.0 192.168.1.1

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp2268306860

 

Add static route on Firepower module:

https://community.cisco.com/t5/security-documents/add-static-route-on-firepower-module/ta-p/3156256

 

Compared with OSPF, the AD is smaller and the default value is 1, so there is no need to modify it.

Not sure if it's right or not, you can try it, hope it works

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Translator
Community Manager
Community Manager

我假设您通过FTD上的数据接口拥有管理接口默认网关,而是数据接口导致路由问题?

如果是的话,这是解决方案。请记住,一旦您重新建立连接,您必须在GUI中更正静态路由问题,因为新策略部署将覆盖此解决方案。  您还需要访问FTD CLI并能够访问根权限。您无需进入/ngfw/var/sf/bin目录,但我喜欢这样转到该目录,因为脚本就位于此。  希望这能有帮助。

>expert

# sudo su -

root# cd /ngfw/var/sf/bin

root# LinaConfigTool “route DMZ 1092.168.1.0 255.255.255.0 192.168.2.1”;

请问,“route DMZ” 内的DMZ 是指路由接口所属区域,还是自定义昵称字段。

Translator
Community Manager
Community Manager
这是基本的ASA/FTD CLI路由配置,因此DMZ会转发到子网可通过的接口。

我已经部署了OSPF 让该设备学习了到达FMC的路由,但为什么这台设备还是显示禁用状态,无法被管理。





Translator
Community Manager
Community Manager

您能否从FMC ping通FTD?您能否从FMC CLI通过tcp/8305端口telnet至FTD。  另请记住,如果此管理流量通过另一个防火墙,则需要允许从FTD到端口tcp/8305上FMC的流量。

我的两台ftd 在运行ha ftd-A 无法ping通 fmc ftd-b 也无法ping通fmc A-B之间可互通。 但是B可以被FMC管理。。。 一直找不到问题,FTD-A 和B 是相同配置。

Translator
Community Manager
Community Manager

您能否提供网络图?显示IP以及这些设备如何连接到网络以及它们之间的关系。

从FTD执行ping操作时,您将从数据接口执行ping操作,因此,如果访问规则中不允许此流量,则不允许该流量。因此更好的测试是从FMC ping。

那么,FTD和FMC之间是什么?  路由器、另一个防火墙,还是它们位于同一子网中(这作为路由问题开始时值得怀疑)?

由于FTD B可以管理,因此问题很可能不是路由。  您给FTD A的管理IP是什么?  您说A和B具有相同的配置,这是否意味着您为FTD A提供的IP与您在B上配置的IP相同?  如果是,这就是你的问题。  FTD A需要单独的IP。

如果FMC与FTD A和B之间的路径中有任何防火墙或访问列表,则您还需要检查是否允许流向FTD A的流量。

我在fmc上使用ping 提示:ping: icmp open socket: Operation not permitted

我的网络拓扑







FTD_A

FTD-A

> show network
===============[ System Information ]===============
Hostname : ASCHZXS-12F-JF-A02-FW-2110-01
DNS Servers : 172.169.18.8
Management port : 8305
IPv4 Default route
Gateway : 172.17.3.254

==================[ management0 ]===================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : CC:7F:76:B1:73:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.17.2.10
Netmask : 255.255.254.0
Broadcast : 172.17.3.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

> �

> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directly connected, failover_link
L 1.1.1.1 255.255.255.255 is directly connected, failover_link
C 2.2.2.0 255.255.255.252 is directly connected, state_link
L 2.2.2.1 255.255.255.255 is directly connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directly connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.2 255.255.255.255 is directly connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directly connected, TO_RT01_OUTSIDE-1
L 172.17.10.67 255.255.255.255 is directly connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directly connected, TO_RT02_OUTSIDE-2
L 172.17.10.75 255.255.255.255 is directly connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directly connected, TO_HXSW01_INSIDE-1
L 172.17.10.82 255.255.255.255
is directly connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directly connected, TO_HXSW02_INSIDE-2
L 172.17.10.90 255.255.255.255
is directly connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

> �



> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 172.17.10.67 YES CONFIG up up
Ethernet1/2 172.17.10.75 YES CONFIG up up
Ethernet1/3 172.17.10.82 YES CONFIG up up
Ethernet1/4 172.17.10.90 YES CONFIG up up
Ethernet1/5 172.17.7.2 YES CONFIG up up
Ethernet1/6 172.17.7.10 YES CONFIG down down
Ethernet1/7 172.17.7.18 YES CONFIG down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 1.1.1.1 YES unset up up
Ethernet1/12 2.2.2.1 YES unset up up
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Control1/1 unassigned YES unset up up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unassigned YES unset up up
Management1/1 unassigned YES unset up up
>�



> show failover state

State Last Failure Reason Date/Time
This host - Primary
Standby Ready None
Other host - Secondary
Active None

====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set

> �


FTD-B


> show network
===============[ System Information ]===============
Hostname : firepower
DNS Servers : 172.169.18.8
Management port : 8305
IPv4 Default route
Gateway : 172.17.3.254

==================[ management0 ]===================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : AC:3A:67:52:57:80
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 172.17.2.11
Netmask : 255.255.254.0
Broadcast : 172.17.3.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled


> show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/1 unassigned YES unset up up
Ethernet1/1 172.17.10.66 YES CONFIG up up
Ethernet1/2 172.17.10.74 YES CONFIG up up
Ethernet1/3 172.17.10.81 YES CONFIG up up
Ethernet1/4 172.17.10.89 YES CONFIG up up
Ethernet1/5 172.17.7.1 YES CONFIG up up
Ethernet1/6 172.17.7.9 YES CONFIG down down
Ethernet1/7 172.17.7.17 YES CONFIG down down
Ethernet1/8 unassigned YES unset admin down down
Ethernet1/9 unassigned YES unset admin down down
Ethernet1/10 unassigned YES unset admin down down
Ethernet1/11 1.1.1.2 YES unset up up
Ethernet1/12 2.2.2.2 YES unset up up
Ethernet1/13 unassigned YES unset admin down down
Ethernet1/14 unassigned YES unset admin down down
Ethernet1/15 unassigned YES unset admin down down
Ethernet1/16 unassigned YES unset admin down down
Internal-Control1/1 unassigned YES unset up up
Internal-Data1/1 169.254.1.1 YES unset up up
Internal-Data1/2 unassigned YES unset up up
Management1/1 unassigned YES unset up up


> show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 172.17.10.65 to network 0.0.0.0

O*E1 0.0.0.0 0.0.0.0 [110/1010] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
C 1.1.1.0 255.255.255.252 is directly connected, failover_link
L 1.1.1.2 255.255.255.255 is directly connected, failover_link
C 2.2.2.0 255.255.255.252 is directly connected, state_link
L 2.2.2.2 255.255.255.255 is directly connected, state_link
O E2 172.16.1.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.2.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.3.0 255.255.255.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O E2 172.16.20.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O E2 172.16.255.0 255.255.255.0
[110/1] via 172.17.10.83, 5d17h, TO_HXSW01_INSIDE-1
O IA 172.17.0.0 255.255.248.0
[110/20] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.7.0 255.255.255.248 is directly connected, SHAOXING_DMZ_LM_IDS
L 172.17.7.1 255.255.255.255 is directly connected, SHAOXING_DMZ_LM_IDS
O E1 172.17.8.0 255.255.255.0
[110/21] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.10.0 255.255.255.224
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
C 172.17.10.64 255.255.255.248 is directly connected, TO_RT01_OUTSIDE-1
L 172.17.10.66 255.255.255.255 is directly connected, TO_RT01_OUTSIDE-1
C 172.17.10.72 255.255.255.248 is directly connected, TO_RT02_OUTSIDE-2
L 172.17.10.74 255.255.255.255 is directly connected, TO_RT02_OUTSIDE-2
C 172.17.10.80 255.255.255.248
is directly connected, TO_HXSW01_INSIDE-1
L 172.17.10.81 255.255.255.255
is directly connected, TO_HXSW01_INSIDE-1
C 172.17.10.88 255.255.255.248
is directly connected, TO_HXSW02_INSIDE-2
L 172.17.10.89 255.255.255.255
is directly connected, TO_HXSW02_INSIDE-2
O 172.17.10.96 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.11.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.17.20.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.1 255.255.255.255
[110/11] via 172.17.10.65, 2w6d, TO_RT01_OUTSIDE-1
O 172.17.255.2 255.255.255.255
[110/16] via 172.17.10.73, 2w6d, TO_RT02_OUTSIDE-2
O 172.17.255.5 255.255.255.255
[110/10] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O 172.17.255.6 255.255.255.255
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 172.31.0.0 255.255.0.0
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O IA 172.169.10.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.18.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 172.169.253.0 255.255.255.0
[110/12] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O IA 192.168.168.0 255.255.255.0
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1
O E2 198.18.1.4 255.255.255.252
[110/1] via 172.17.10.83, 6d16h, TO_HXSW01_INSIDE-1
O 198.18.1.8 255.255.255.252
[110/11] via 172.17.10.83, 2w6d, TO_HXSW01_INSIDE-1

> show failover
descriptor exec history interface state statistics |

> show failover state

State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Standby Ready Comm Failure 09:58:15 UTC Jun 1 2022

====Configuration State===
Sync Done
====Communication State===
Mac set

> �

Translator
Community Manager
Community Manager

要从FMC ping,您需要成为根用户,因此您需要登录cli,进入专家模式,然后sudo su -

您能否在两个FTD上发出命令show managers?

FTD-A 172.17.2.10 (无法被管理 主 非活动)
> show managers
Type : Manager
Host : 172.16.1.31
Registration : Completed

>
�FTD-A 172.17.2.11 (被管理 辅 活动)
> show managers
Type : Manager
Host : 172.16.1.31
Registration : Completed

>


FMC-SSH

Last login: Fri Jun 24 04:46:39 2022 from 172.17.3.68

Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.4.0 (build 2)
Cisco Firepower Management Center for VMWare v6.4.0.7 (build 53)

>

configure Change to Configuration mode
exit Exit this CLI session
expert Invoke a shell
show Change to Show Mode
system Change to System Mode

> expert
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$ ping 172.17.2.10
ping: icmp open socket: Operation not permitted
admin@ASCHZXS-12F-JF-A02-CISCO-FMC-01:~$



Translator
Community Manager
Community Manager

要从FMC发出ping,您需要具有根权限,(sudo su -)

但是,根据show managers的输出,FMC已成功注册到FTD设备。

但是FMC上显示该FTD是已禁用状态,无法被管理。

 

我想尝试在FTD-CLI上做一条any any的配置,看是否是由于策略原因导致,FTD-A无法连接到FMC,在CLI下应该怎么去写这样一条策略并保存使其生效。

由于我是后接管的该设备,该FTD在2021年的11月断开连接。

或者我该如何寻求远程技术支持。

快捷链接