01-30-2018 11:55 PM - edited 02-21-2020 07:14 AM
Hi,
We have the FTD and FMC connected over the management ethernet interface. We have licensed the device via FMC. This is a 2120 FTD appliance. We are trying to setup SSH for the FTD appliance for troubleshooting purposes. We are following the procedure mentioned in the below link.
Under device management we only able to see the data and diagnostic interface and not the management interface. Is this by design?. We can ping the management interface of the firewall. We never had issue with 4100 series as we had the Firepower Chassis manager, looks like the procedure has changed with 2100.
Has anyone got the SSH setup for FTD from FMC.
Vaibhav
Vaibhav
01-31-2018 02:40 PM
02-01-2018 01:13 PM
Thanks a lot.
Under device management in FMC I can see the IP address of the management interface. But under interfaces option the management interface cannot be seen. Looks like it only shows the data interfaces configured on the FTD.
As per the link of Cisco for setting up SSH from FMC under platform settings. We need to specify the interface and IP address for SSH management. But the management interface is not listed in there. So how do we set the SSH management from FMC for the management interface.
Vaibhav
02-01-2018 01:17 PM
The guide is if you want to allow SSH to one of your configured data interfaces.
Let's say you want to allow SSH to the inside interface of 172.16.0.1 from LAN.
br, Micke
02-01-2018 02:22 PM
Hi Mikael,
Thanks for your quick response. I tried the procedure for the data interface and deployed the policy as well. But on doing SSH to the data interface there is no password prompt. I can ping the same data interface. Looks like there is something buddy or something different for the 2100.
Regards
Vaibhav
02-01-2018 02:47 PM
02-02-2018 12:37 AM
Hi,
I think that 2100 shares the management interfaces like 5500X does:
- What you configure in the initial setup is FTD management used to register to FMC, apply policies, event etc. It's what you see in FMC in the Devices>Device Management > Management section. (interface br1)
- What you configure in ASA or in the Interfaces section for diagnostic etc., that is your true direct tshoot ASA CLI. (management0/0 or diagnostic 0/0)
Please check the following link for the complete story: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html
It's not recommended to configure them both because you'll have to use a separate OOB network for them and no an existing FTD data interface subnet (ie - place management in the inside segment so that ASA can be DG for the management network).
Thanks,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide