Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
0
Helpful
1
Replies

Firepower 2100 SSH

zekebashi
Level 4
Level 4

‎06-26-2018 03:30 PM - edited ‎02-21-2020 07:55 AM

Hello,

 

I am a bit confused about how to configure remote access for the FXOS. The doc below states to use a data interface and not the Management 1/1 interface to remotely access the FXOS. Does that mean I will need to configure a dedicated physical interface with and IP address and add http, ssh, and snmp to the access-list? What else will need to configure besides just configuring a data interface? 

 

Thanks, ~zK

 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp2100/asa-2100-gsg/getting-started.html

" Configure Management Access for FXOS on Data Interfaces

If you want to manage FXOS on the Firepower 2100 from a data interface, you can configure SSH, HTTPS, and SNMP access. This feature is useful if you want to manage the device remotely, and you want to keep Management 1/1 on an isolated network. You can continue to use Management 1/1 for local access; you cannot allow remote access from Management 1/1 for FXOS at the same time as forwarding traffic to the ASA data interfaces because you can only specify one gateway. By default, the FXOS management gateway is the internal path to the ASA.

The ASA uses non-standard ports for FXOS access; the standard port is reserved for use by the ASA on the same interface. When the ASA forwards traffic to FXOS, it translates the non-standard destination port to the FXOS port for each protocol (do not change the HTTPS port in FXOS). The packet destination IP address (which is the ASA interface IP address) is also translated to an internal address for use by FXOS. The source address remains unchanged. For returning traffic, the ASA uses its data routing table to determine the correct egress interface. When you access the ASA data IP address for the management application, you must log in using an FXOS username; ASA usernames only apply for ASA management access.

You can also enable FXOS management traffic initiation on ASA data interfaces, which is required for SNMP traps, or NTP and DNS server access, for example. By default, FXOS management traffic initiation is enabled for the ASA outside interface for DNS and NTP server communication (required for Smart Software Licensing communication)."

1 person had this problem
Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎06-26-2018 11:54 PM

Most of the use cases are :

If you have configured dedicated Management port in F2100. Most of the Enterprise/corporate have LAN Access that can be reachable to Management IP. which is secured since you are inside secure environment Network.

 

Accessing from Outside Enterprise network, suggest to use jump box and use management IP to Manage the device.

 

If this is not the case, then you can enable HTTP/SSH and management access for the device on any of the port, it is not required to be dedicated port. (but make sure it is protected in secure point of view).

 

Make Sense ?

 

BB

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card