Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
0
Helpful
6
Replies

ASA FPR 1100 FDM lost https access

Go to solution
Calin Cristea
Level 1
Level 1

‎05-14-2023 08:50 AM

Hi,

    I have a Cisco ASA FPR 1100 running with FDM. I had access via https. I have a vpn client profile, and  i made some changes on Cisco Anyconnect vpn profile, meaning, that i have changed the local certificate with a public certificate, in order not to have that Security Warning when trying to connect via vpn client.

After i have changed the certificate (in the vpn client menu / global settings/certificate of device identity), i have lost conectivity via https on data interface . I cannot telnet the local ip on port 443. SSH is also not working (but i think i did not worked before either).

I think i need to go to the ASA via console.

Anyone know what commands need to put to get https back to local ip (not public ip).

CLI is kind of weird, and not the same as old ASA.
Need to mention that i do not have FMC, only FDM.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Calin Cristea

‎05-14-2023 12:48 PM - edited ‎05-14-2023 12:53 PM

@Calin Cristea yes that is how you setup the management interface on an FTD - https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp3839275562

You will obviously have to connect your computer to the management interface in order to connect to the FDM GUI.

When you ping from the managment interface you use - "ping system <ip address" whereas when you ping from a data interface you use "ping <ip address>"

Regardless in the first reply I was referring to the management port not the management interface. I wanted you to confirm the management port and http allowed networks/interface by connecting to the console CLI.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎05-14-2023 09:43 AM

@Calin Cristea you have to perform 99.9% configuration of the device using the FDM GUI.

Did you change the management port by any chance? Connect the console cable to the device, then run "show run http" and determine the management port - "http server enable 8443". Then connect to the IP address in the web browser using the port as configured.

The output from that command will also tell you which networks on which interfaces can connect to the FDM GUI - "http 192.168.6.0 255.255.255.0 vlan6" - in which case you can only connect to the FDM GUI from the network defined.

0 Helpful

Go to solution
Calin Cristea
Level 1
Level 1
In response to Rob Ingram

‎05-14-2023 10:36 AM

Hi Rob,

 

Thank you for you`re reply. In case i do not have an ip address setup on the management interface, can i setup an ip  via CLI?

On data interface, it is setup, but i do not understand what it happend that i lost https access.Can i enable enable http server via cli?

I think this  happened, it got disable somehow.

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Calin Cristea

‎05-14-2023 10:40 AM

@Calin Cristea yes you can configure the management interface via the CLI using the command, using the command "configure network ipv4 manual <ip address> <mask> <gw>" - then you can get access to FDM GUI to reconfigure.

0 Helpful

Go to solution
Calin Cristea
Level 1
Level 1
In response to Rob Ingram

‎05-14-2023 12:42 PM

@Rob Ingram , are you sure this is the way to setup an ip address on the management interface ?

I have tried that first into a dcloud lab on a Cisco ASA firepower, and after that i lost conectivity to the device.

This is what i have setup, then no ping onto the data interface device:

> configure network ipv4 manual 192.168.20.10 255.255.255.0 192.168.20.1
Setting IPv4 network configuration.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Calin Cristea

‎05-14-2023 12:48 PM - edited ‎05-14-2023 12:53 PM

@Calin Cristea yes that is how you setup the management interface on an FTD - https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp3839275562

You will obviously have to connect your computer to the management interface in order to connect to the FDM GUI.

When you ping from the managment interface you use - "ping system <ip address" whereas when you ping from a data interface you use "ping <ip address>"

Regardless in the first reply I was referring to the management port not the management interface. I wanted you to confirm the management port and http allowed networks/interface by connecting to the console CLI.

0 Helpful

Go to solution
Calin Cristea
Level 1
Level 1
In response to Rob Ingram

‎05-15-2023 10:00 AM

Hello, seems that i have managed to gain access after rebooting the Cisco ASA. Access for https and ssh were there, just got stocked. Might be a bug or just they have to work in order to improve the GUI overall. Missed the old ASA....

Thank you @Rob Ingram for advices.

0 Helpful
Customers Also Viewed These Support Documents