(Optional) Configure Management Access For Fxos On Data Interfaces - Cisco Firepower 2100 Series Getting Started Manual
Hide thumbs
Also See for Firepower 2100 Series:
- Hardware installation manual (92 pages) ,
- Manual (12 pages) ,
- Deployment manual (8 pages)
Table of Contents
Advertisement
(Optional) Configure Management Access for FXOS on Data Interfaces
(Optional) Configure Management Access for FXOS on Data
Interfaces
If you want to manage FXOS on the Firepower 2100 from a data interface, then you can configure SSH,
HTTPS, and SNMP access. This feature is useful if you want to manage the device remotely, and you want
to keep Management 1/1, which is the native way to access FXOS, on an isolated network. If you enable this
feature, you can continue to use Management 1/1 for local access. Note that you cannot allow remote access
from Management 1/1 for FXOS at the same time as using this feature. This feature requires forwarding traffic
to the ASA data interfaces over the backplane (the default), and you can only specify one FXOS management
gateway.
The ASA uses non-standard ports for FXOS access; the standard port is reserved for use by the ASA on the
same interface. When the ASA forwards traffic to FXOS, it translates the non-standard destination port to the
FXOS port for each protocol (do not change the HTTPS port in FXOS). The packet destination IP address
(which is the ASA interface IP address) is also translated to an internal address for use by FXOS. The source
address remains unchanged. For returning traffic, the ASA uses its data routing table to determine the correct
egress interface. When you access the ASA data IP address for the management application, you must log in
using an FXOS username; ASA usernames only apply for ASA management access.
You can also enable FXOS management traffic initiation on ASA data interfaces, which is required for SNMP
traps, or NTP and DNS server access, for example. By default, FXOS management traffic initiation is enabled
for the ASA outside interface for DNS and NTP server communication (required for Smart Software Licensing
communication).
Before you begin
• Single context mode only.
• Excludes ASA management-only interfaces.
• You cannot use a VPN tunnel to an ASA data interface and access FXOS directly. As a workaround for
• Ensure that the FXOS gateway is set to forward traffic to the ASA data interfaces (the default). If you
Procedure
Step 1
In ASDM, choose Configuration > Device Management > Management Access > FXOS Remote
Management.
Step 2
Enable FXOS remote management.
a) Choose HTTPS, SNMP, or SSH from the navigation pane.
b) Click Add, and set the Interface where you want to allow management, set the IP Address allowed to
connect, and then click OK.
Cisco Firepower 2100 Getting Started Guide
90
SSH, you can VPN to the ASA, access the ASA CLI, and then use the connect fxos command to access
the FXOS CLI. Note that SSH, HTTPS, and SNMPv3 are/can be encrypted, so direct connection to the
data interface is safe.
changed the gateway, then see
page
93.
(Optional) Change the FXOS Management IP Addresses or Gateway, on
ASA Deployment in Platform Mode
Hide quick links:
Advertisement
Chapters
Table of Contents
