Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2141
Views
5
Helpful
7
Replies

Secure Shell configuration using local users not working for Firepower version 6.4

Go to solution
laukik.nahar1
Level 1
Level 1

‎07-01-2020 05:23 AM - edited ‎07-01-2020 05:40 AM

Dear Friends,

 

Tried configuring the Secure Shell from Devices->Platform Settings->Secure Shell

 

Added object with IP address for local Admin user and the interface from where it was taking access.

 

But the other users are also able to access the CLI using PUTTY.

 

Please find the attached error message while trying to deploy the policy.

 

URL followed for reference are - 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

 

 

Preview file
24 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to laukik.nahar1

‎07-05-2020 04:29 AM

I see the problem. The Platform settings are for ssh access to the data interface(s). See the online help which tells us the following:

If you want to allow SSH connections to one or more data interfaces on the FTD device, configure Secure Shell settings. SSH is not supported to the Diagnostic logical interface. The physical management interface is shared between the Diagnostic logical interface and the Management logical interface. SSH is enabled by default on the Management logical interface; however, this screen does not affect Management SSH access.

The Management logical interface is separate from the other interfaces on the device. It is used to set up and register the device to the Firepower Management Center. SSH for data interfaces shares the internal and external user list with SSH for the Management interface. Other settings are configured separately: for data interfaces, enable SSH and access lists using this screen; SSH traffic for data interfaces uses the regular routing configuration, and not any static routes configured at setup or at the CLI.

For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Firepower Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.

I tried the above and confirmed it works.

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-01-2020 06:58 AM

You can proceed despite that warning. It's just telling you some part of the platform settings config contains reference to the deprecated protocols.

0 Helpful

Go to solution
laukik.nahar1
Level 1
Level 1
In response to Marvin Rhoads

‎07-01-2020 09:53 AM

@Marvin Rhoads - The deployment was successful.

 

But the issue is that, we are able to log (SSH) into the device by users other than those mentioned in Secure Shell tab.

Please find the attached screenshot.

Preview file
31 KB
0 Helpful

Go to solution
laukik.nahar1
Level 1
Level 1
In response to Marvin Rhoads

‎07-01-2020 09:56 AM

Inshort, if the admin's IP address is 192.168.1.100, users other than admin is able to get the SSH and asks for the login prompt.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to laukik.nahar1

‎07-01-2020 10:34 AM

Do you mean users coming from an address other than the defined admin address(es)?

0 Helpful

Go to solution
laukik.nahar1
Level 1
Level 1
In response to Marvin Rhoads

‎07-01-2020 08:40 PM

Yes exactly...
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to laukik.nahar1

‎07-05-2020 04:29 AM

I see the problem. The Platform settings are for ssh access to the data interface(s). See the online help which tells us the following:

If you want to allow SSH connections to one or more data interfaces on the FTD device, configure Secure Shell settings. SSH is not supported to the Diagnostic logical interface. The physical management interface is shared between the Diagnostic logical interface and the Management logical interface. SSH is enabled by default on the Management logical interface; however, this screen does not affect Management SSH access.

The Management logical interface is separate from the other interfaces on the device. It is used to set up and register the device to the Firepower Management Center. SSH for data interfaces shares the internal and external user list with SSH for the Management interface. Other settings are configured separately: for data interfaces, enable SSH and access lists using this screen; SSH traffic for data interfaces uses the regular routing configuration, and not any static routes configured at setup or at the CLI.

For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Firepower Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.

I tried the above and confirmed it works.

Go to solution
laukik.nahar1
Level 1
Level 1
In response to Marvin Rhoads

‎07-05-2020 06:24 AM

Hi Marvin,

You answer is 100% correct and its really helpful.

Below are the steps to explain it in layman's terms :
On FMC -
Go to System -> Configuration -> Access list and add the IP address(es) for SSH and HTTPS access.
On FTD -
used CLI command "configure ssh-access-list 10.10.10.10/32, 10.10.10.11/32"

Thanks,
L.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card