Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
7
Helpful
13
Replies

Changing FTD SSH access-list

Go to solution
mrjelly
Level 1
Level 1

‎03-13-2024 04:10 PM

Hello,

Is there a way to see an FTDs ssh-access-list through the FMC and even see what's on it?

It appears that to setup an FTDs SSH access list is to use SSH access (or from the console too?)

 

Using the Threat Detection CLI in the FMC and selecting 'Show' then ssh-access-list give back an error saying command didn't work.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mrjelly
Level 1
Level 1

‎03-15-2024 07:14 AM

Ok this is solved, the Management interface IP address was not the right one. Tracing the traffic coming out of the management interface, I could see two other IP addresses which were the firepower management IP addresses.
I was obviously reading the FMC settings incorrectly.

I looked at the device interfaces then the management interface settings and got the IP address from there. It was one bit higher than that.

Thank you all for your help and apologies.

View solution in original post

0 Helpful
13 Replies 13

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-13-2024 04:22 PM

Not sure what is the case here to see what in ACL using CLI or ssh.

Unlike ASA there are many changes in FTD probably we may not understand  as expected - until you like to spend more time and co-related to it.

check command reference :

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/using_the_FTD_CLI.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-14-2024 01:04 AM

@mrjelly to restrict SSH access to Data interfaces you configure a Platform Settings Policy from the FMC and deploy to the FTDs. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-platform.html#task_42B3A06C70E8415E8C024AE76FE79774

If using the Management interface, you configure an SSH access list using the command configure ssh-access-list from the CLI of the FTDs.

Go to solution
mrjelly
Level 1
Level 1

‎03-14-2024 01:42 AM

Thank you, what I am stuck on is how to access the configure ssh-access-list command. If it's CLI but SSH is not setup what are the default settings for the ssh-access-list and is there any other way to access and configure this other than SSH.

I'm assuming console works but can is also be done via FMC?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mrjelly

‎03-14-2024 02:25 AM

FMC is prefer method always my view.

if you like to do from cli (i would not suggest) but i have given reference document how you can do (do you get chance to read ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mrjelly

‎03-14-2024 02:28 AM

@mrjelly what interfaces are you referring to? data or management?

You can only configure the SSH list for the management interface via the CLI, it's open to everyone that can route to it as default.

If you are referring to the data interface for SSH you have to control this using the Platform Settings policy.

Go to solution
mrjelly
Level 1
Level 1

‎03-14-2024 02:53 AM

Yes this is the management interface I want to configure

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mrjelly

‎03-14-2024 02:56 AM - edited ‎03-14-2024 02:57 AM

@mrjelly like I said - For the Management interface, to configure an SSH access list from the CLI of the FTD use the configure ssh-access-list command, reference Cisco Secure Firewall Threat Defense Command Reference

Go to solution
Marius Gunnerud
VIP
VIP

‎03-14-2024 04:08 AM

The FMC platform settings will only show the access-list for SSH access using data interface.  For the management interface you would need to login to the CLIto see it and configure it.

show ssh-access-list

configure ssh-access-list <values>

--
Please remember to select a correct answer and rate helpful posts

Go to solution
MHM Cisco World
VIP
VIP

‎03-14-2024 04:15 AM

I will try that in my Lab and inform you the steps 
""after I return home""

thanks 

MHM

0 Helpful

Go to solution
mrjelly
Level 1
Level 1

‎03-15-2024 07:05 AM

Hello, thanks all for your responses, so the ssh-access-list is accept tcp -- anywhere anywhere state NEW tcp dpt:ssh

so I can't see any issue with that.

I can see traffic from my management box to the management interface IP on ssh being allowed, yet I am getting a timeout.

 

Any thoughts?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mrjelly

‎03-15-2024 07:16 AM

To exclude any issues with the mgmt interface or FTD itself, place a PC on the same subnet as the mgmt interface and then try to SSH to it.  If the SSH session is successful then we know there is an issue somewhere between the FTD and the original PC.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mrjelly
Level 1
Level 1

‎03-15-2024 07:14 AM

Ok this is solved, the Management interface IP address was not the right one. Tracing the traffic coming out of the management interface, I could see two other IP addresses which were the firepower management IP addresses.
I was obviously reading the FMC settings incorrectly.

I looked at the device interfaces then the management interface settings and got the IP address from there. It was one bit higher than that.

Thank you all for your help and apologies.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card