Issues with setting up SSH on FTD via FMC on 2100

vaibhav.parlekar1 · ‎01-30-2018

Hi,

We have the FTD and FMC connected over the management ethernet interface. We have licensed the device via FMC. This is a 2120 FTD appliance. We are trying to setup SSH for the FTD appliance for troubleshooting purposes. We are following the procedure mentioned in the below link.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

Under device management we only able to see the data and diagnostic interface and not the management interface. Is this by design?. We can ping the management interface of the firewall. We never had issue with 4100 series as we had the Firepower Chassis manager, looks like the procedure has changed with 2100.

Has anyone got the SSH setup for FTD from FMC.

Vaibhav

mikael.lahtela · ‎01-31-2018

Hi,

The SSH access to 4100 and 2100 are different.
In a 4100 you access the FXOS through MNG IP of FXOS and FTD is accessed by the IP address configured at setup for FTD.
In 2100 you SSH to the MNG address that is configured at setup and then you can access other parts of the configuration through there.

For example in 2100 you would access the light way FXOS by SSH first to MNG address (you'll get a prompt in FTD) and then at prompt type connect fxos.
I think there is a way to use another IP for management of FTD in 2100, but never bothered with that.

hope I got this information right now off the top of my head. :)

br, Micke

vaibhav.parlekar1 · ‎02-01-2018

Thanks a lot.

Under device management in FMC I can see the IP address of the management interface. But under interfaces option the management interface cannot be seen. Looks like it only shows the data interfaces configured on the FTD.

As per the link of Cisco for setting up SSH from FMC under platform settings. We need to specify the interface and IP address for SSH management. But the management interface is not listed in there. So how do we set the SSH management from FMC for the management interface.

Vaibhav

mikael.lahtela · ‎02-01-2018

The guide is if you want to allow SSH to one of your configured data interfaces.

Let's say you want to allow SSH to the inside interface of 172.16.0.1 from LAN.

br, Micke

vaibhav.parlekar1 · ‎02-01-2018

Hi Mikael,

Thanks for your quick response. I tried the procedure for the data interface and deployed the policy as well. But on doing SSH to the data interface there is no password prompt. I can ping the same data interface. Looks like there is something buddy or something different for the 2100.

Regards

Vaibhav

mikael.lahtela · ‎02-01-2018

If possible try to reload the device, I know there has sometimes been issues with that.
Most of my deployments use SSH to the oob mgmt port.

br, Micke

Octavian Szolga · ‎02-02-2018

Hi,

I think that 2100 shares the management interfaces like 5500X does:
- What you configure in the initial setup is FTD management used to register to FMC, apply policies, event etc. It's what you see in FMC in the Devices>Device Management > Management section. (interface br1)

- What you configure in ASA or in the Interfaces section for diagnostic etc., that is your true direct tshoot ASA CLI. (management0/0 or diagnostic 0/0)

Please check the following link for the complete story: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html

It's not recommended to configure them both because you'll have to use a separate OOB network for them and no an existing FTD data interface subnet (ie - place management in the inside segment so that ASA can be DG for the management network).

Thanks,
Octavian