enable SSH and access lists using this screen; SSH traffic for data interfaces uses the regular routing
configuration, and not any static routes configured at setup or at the CLI.
For the Management interface, to configure an SSH access list, see the configure ssh-access-list command
in the Firepower Threat Defense Command Reference. To configure a static route, see the configure network
static-routes command. By default, you configure the default route through the Management interface at
initial setup.
To use SSH, you do not also need an access rule allowing the host IP address. You only need to configure
SSH access according to this section.
You can only SSH to a reachable interface; if your SSH host is located on the outside interface, you can only
initiate a management connection directly to the outside interface.
The device allows a maximum of 5 concurrent SSH connections.
On all appliances, after a user makes three consecutive failed attempts to log into the CLI via SSH, the system
terminates the SSH connection.
Note
Before you begin
• You can configure SSH internal users at the CLI using the configure user add command. By default,
there is an admin user for which you configured the password during initial setup. You can also configure
external users on LDAP or RADIUS by configuring External Authentication in platform settings.
• You need network objects that define the hosts or networks you will allow to make SSH connections to
the device. Select Objects > Object Management to configure objects.
You cannot use the system-provided any network object. Instead, use any-ipv4
or any-ipv6.
Note
Procedure
Step 1 Select Devices > Platform Settings and create or edit an FTD policy.
Step 2 Select Secure Shell.
Step 3 Identify the interfaces and IP addresses that allow SSH connections.
Use this table to limit which interfaces will accept SSH connections, and the IP addresses of the clients who
are allowed to make those connections. You can use network addresses rather than individual IP addresses.
a) Click Add to add a new rule, or click Edit to edit an existing rule.
b) Configure the rule properties:
• IP Address—The network object that identifies the hosts or networks you are allowing to make SSH
connections. Choose an object from the drop-down menu, or add a new network object by clicking
+.
• Security Zones—Add the zones that contain the interfaces to which you will allow SSH connections.
For interfaces not in a zone, you can type the interface name into the field below the Selected Security
Cisco Firepower 1100 Getting Started Guide
142
Firepower Threat Defense Deployment with a Remote FMC
Configure SSH on the FMC Access Data Interface
To Next Page
Loading...
Need help?
General