Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
0
Helpful
1
Replies

Remote telnet/SSH access to FTD 2120 (Multi-context ASA mode)

JoshGreen07630
Level 1
Level 1

‎04-07-2021 01:37 PM

Hi all,

 

I'm in the process of building a Cisco 2120 FTD appliance in Multi-Context (ASA) mode and I'm strugging with getting remote management access via telnet/ssh.

 

I've configured a bunch of standalone (HA pair) ASAs before and i have previously worked on Multi-Context firewalls but never really built them up from scratch. I have the following two interfaces configured on the Admin context:

 

ContextFW/admin(config)# sh run int
!
interface Ethernet1/1
nameif LAN
security-level 0
ip address xxxx
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 10.1.70.239 255.255.255.0

 

Management 1/1 connects back to an OOB MGMT switch which has the correct vlan + SVI configuration supporting the 10.1.70.x/24 subnet. I can ping the IP address from the switch but if i initiate a telnet from the switch (including /source-interface of VLAN x) the connection just times out.

 

My telnet configuration is:

telnet 0.0.0.0 0.0.0.0 management (Just to keep it simple)

telnet timeout 5 (default)

 

As the interface is directly connected to the switch there is no routing required here so i'm at a bit of a lost end. I have replicated the same management/telnet configuration on context A + B as shown below:

 

CONTEXT-A

interface Ethernet1/1
nameif LAN

security-level 0

ip address x.x.x


interface Management1/1
management-only
nameif management
no security-level
ip address 10.1.70.237 255.255.255.0

!

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

!

CONTEXT-B:

interface Ethernet1/1
nameif PARK-LAN
security-level 0
ip address XXXXX

!
interface Management1/1
management-only
nameif management
no security-level
ip address 10.1.70.251 255.255.255.0

!

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

 

Are 3 MGMT addresses normal? Could i be confusing the device/network?

 

SSH also doesn't work. I think that could be due to the fact that the device is currently unlicensed and has no strong encryption?

 

For additional context, i built a standalone ASA (2120) and configured the mgmt address exactly the same, same switch.. same VLAN.. and i can telnet to that device..

 

Any thoughts? Probably something really simple but i can't seem to find any solid content online.

 

Thanks,
Josh

0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎04-07-2021 05:33 PM

Not sure what License you have if yo able to create 2 context that means, i believe you have a context License or post-show version and show license to look and verify

 

telnet is not secure but for testing your environment can be done, you need to configure each context just telnet config as mentioned below document : ( make sure admin context configured)

 

Do you have IP reachability? Routing to reach that network ? for that context that is the first step? second, what you see errors when you try to telnet?

 

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-contexts.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card