Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
90
Views
2
Helpful
6
Replies

Unable to SSH Management Interface Cisco 1120

Go to solution
kleemisch
Level 1
Level 1

‎07-24-2024 06:34 AM

Can someone let me know where the settings are located to ssh into the management interface? I can SSH from my desktop (10.250.3.x subnet) but can't from the server subnet.  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to kleemisch

‎07-24-2024 07:11 AM - edited ‎07-24-2024 07:13 AM

21.PNGCheck this link will put you in right direction to fix the issue

https://community.cisco.com/t5/network-security/ftd-management-access-restriction-does-not-work-for-management/td-p/3781668

please do not forget to rate.

View solution in original post

6 Replies 6

Go to solution
Sheraz.Salim
VIP
VIP

‎07-24-2024 06:49 AM

it seems you're having trouble accessing the management interface of your Cisco FPR-1120 firewall via SSH from a specific subnet. Here are some suggestions to troubleshoot to resolve this issue:

Check SSH access list
Connect to the firewall's CLI via console or from a working SSH connection. Run the command show ssh-access-list to view the current SSH access configuration,Ensure that the server subnet is included in the access list. also are this server in a different subnet if you in that case you have to allow (define access-list in order to connect ssh to server) in ASA command is like this (ssh 10.60.0.0 255.255.0.0 inside)

Verify user accounts:
Use the command show user to check the configured user accounts Make sure the account you're using has the necessary privileges for SSH access. Review platform settings in FMC: If you're managing the device through Firepower Management Center (FMC), check the platform settings for SSH configuration

Ensure that SSH is enabled for the management interface and the correct IP ranges are allowed.

Check routing:
Verify that there's a valid route from the server subnet to the management interface. You may need to add a static route using the configure network static-routes command if it's not already in place

Firewall rules:
Although SSH access doesn't typically require an explicit access rule, double-check that there are no firewall rules blocking SSH traffic from the server subnet to the management interface.

Interface configuration:
Confirm that the management interface is properly configured with the correct IP address and subnet mask. Use the show interface command to verify the interface status and configuration.
SSH version and ciphers: Ensure that the SSH client on the server is compatible with the firewall's SSH configuration.
The firewall supports specific encryption, integrity, and key exchange methods
.
Network connectivity:
Try pinging the management interface from the server to ensure basic network connectivity.
Diagnostic interface vs. Management interface:
Be aware that the diagnostic interface and management interface are different. SSH access via the diagnostic interface is not supported from FTD 6.1 onwards

 

please do not forget to rate.

Go to solution
kleemisch
Level 1
Level 1
In response to Sheraz.Salim

‎07-24-2024 07:04 AM

Thank you, that is my issue - I have an access list only allowing certain computers; found this by doing the ssh-access-list command.  What is the command to add another computer?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to kleemisch

‎07-24-2024 07:11 AM - edited ‎07-24-2024 07:13 AM

21.PNGCheck this link will put you in right direction to fix the issue

https://community.cisco.com/t5/network-security/ftd-management-access-restriction-does-not-work-for-management/td-p/3781668

please do not forget to rate.

Go to solution
Gopinath_Pigili
Spotlight
Spotlight

‎07-24-2024 06:54 AM

Hello kleemisch,

Please go through the following link under step 3,  you can find ssh settings:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

Best regards
******* If This Helps, Please Rate *******

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎07-24-2024 06:56 AM

@kleemisch if using FTD image you use the command "configure ssh-access-list" from the CLI to restrict/permit access to SSH to the management interface.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-24-2024 06:56 AM

The GW if you not config it for mgmt interface then it can not reply to any subnet outside it subnet'

This GW can be FW itself or any l3 device

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card