cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
271
Views
5
Helpful
5
Replies
Highlighted
Beginner

Cisco ASA 5506x FTD FMC managed - Management Interface Options

Hi all,

 

I´m really trying to find out, what is possible in regards to the management options with a FTD Device managed by Firepower. We know the basic and simple options using the management interface. The physical management Interface is shared with the virtual diagnostic Interface. I don´t really know a real world benefit of this, but anyways.

 

 

We would like to know, if we can avoid using the physical management interface and connect directly to an interface from the FTD device itself. In this case we are using transparent mode and created an BVI for that. Imagine this setup:

 

image.png

 

So on FW1 and FW2 we have transparent Mode enabled, with a BVI1. Think of a /24 transfer network between the routers and switches, where the firewalls also have an IP configured in. Is it possible to use this BVI1 instead of the Management Interface? And if, what needs to be done, I didn´t find any examples for this. In the last link below, i just found this statement:

 

"Note: On FTD devices running software version 6.0.1, the diagnostic CLI is not  directly accessible over the IP that is configured for br1 of the FTD. However, on FTD devices running software version 6.1.0, the converged CLI is accessible over any interface configured for management access, however, the interface must be configured with an IP address."

 

But is that only restricted to SSH and HTTPS access like described? What does http access actually mean? Is this the service, normally running on port tcp/8305 for Firepower Events+Config?

 

 

I read a lot of documents, including:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5506X/ftd-fmc-5506x-qsg.html?referring_site=RE&pos=3&page=https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5506X/ftd-fdm-5506x-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/interface_overview_for_firepower_threat_defense.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

 

Would appreciate your comments/hints.

 

Thanks,

Sebastian

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Cisco ASA 5506x FTD FMC managed - Management Interface Options

They don't say so explicitly in the article you linked, but I believe it is referring to setting up access to the Management-Diagnostic interface. Step 2 implies as much when they say "This is a necessary step because locally configured users do not have direct access to the diagnostic CLI."

This article explains the distinction between the two types of management interfaces:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html

5 REPLIES 5
Hall of Fame Master

Re: Cisco ASA 5506x FTD FMC managed - Management Interface Options

You must use the physical management interface. That applies whether in transparent or routed mode. Whether ASA with Firepower services or ASA with FTD.

Beginner

Re: Cisco ASA 5506x FTD FMC managed - Management Interface Options

Thanks for your answer.

 

In this context, what purpose is this for:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

 

There we can read:

 

"This document describes the configuration of  management access to a Firepower Threat Defense (FTD) (HTTPS and SSH) via Firesight Management Center (FMC)."

 

Would be interesting, what we can achieved by this. Is it something useful? Does it work with BVI Interfaces, as there it is not possible to define a zone for a BVI? I did not manage to get access over the BVIs IP via https or ssh... Just tried it.

 

Hall of Fame Master

Re: Cisco ASA 5506x FTD FMC managed - Management Interface Options

They don't say so explicitly in the article you linked, but I believe it is referring to setting up access to the Management-Diagnostic interface. Step 2 implies as much when they say "This is a necessary step because locally configured users do not have direct access to the diagnostic CLI."

This article explains the distinction between the two types of management interfaces:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html

Beginner

Re: Cisco ASA 5506x FTD FMC managed - Management Interface Options

I think that helps. Thank you.

Hall of Fame Master

Re: Cisco ASA 5506x FTD FMC managed - Management Interface Options

You're welcome.

Please rate helpful answers - it encourages participation and improves the quality of the site for everybody.