Solved: access list for SFR module on ASA5516X

tato386 · ‎09-02-2023

Using FMC I can use platform settings to restrict IPs from accessing FTD interfaces via SSH but platform settings does not seem to be available for SFR modules. Is there another way to restrict SSH access to SFR based on IPs?

Thanks,

Diego

balaji.bandi · ‎09-05-2023

yes that is quick way to fix - since source coming from that switch.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎09-03-2023

I don't recall that settings - quick and dirty way is (if the Gateway Router support ACL) use ACL to limit the IP to allow.

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Also check hardening guide if any information can be obtained.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tato386 · ‎09-04-2023

Looks like switch based ACL might be my only option.

Thanks @balaji.bandi

balaji.bandi · ‎09-05-2023

yes that is quick way to fix - since source coming from that switch.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎09-05-2023

Nothing is available on the sfr module itself to do this. So, like @balaji.bandi said you would have to do it upstream - such as on the gateway L3 interface.,