Accessing ASA CLI in Firepower Threat Defence

I’ve recently loaded Firepower Threat Defense on an ASA5525 for my home Internet firewall. For those unfamiliar with FTD, it is basically a combination of critical ASA features and all of the Cisco Firepower features in a single image and execution space. So unlike Firepower Services, which runs separately inside the same ASA sheet metal,  FTD takes over the hardware. Once the image installed onto the hardware, the firewall is attached to and managed by a Firepower Management Console.

For those that still want to (or need to) get under the covers to understand the underpinnings or do some troubleshooting of the ASA features, it is still possible to access the familiar CLI. The process first requires an ssh connection to the management IP of the FTD instance, then access expert mode and enter the lina_cli command.

MacBook:~ paulste$ ssh [email protected]
Password:
Last login: Thu Jun 23 18:16:43 2016 from 192.168.1.48

Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.
Cisco is a registered trademark of Cisco Systems, Inc.
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.0.1 (build 37)
Cisco ASA5525-X Threat Defense v6.0.1 (build 1213)

//go into expert mode
> expert

//enter sudo lina_cli -- my su password was the admin pw I set during installation
[email protected]:~$ sudo lina_cli
Password:


Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

//enable password was blank for me
firepower> en
Password:
firepower#

Now the typical ASA show commands are avaialble. For example–

show run dhcpd (yes, you can actually make your FTD device a DHCP server)

firepower# show run dhcpd
dhcpd dns 8.8.8.8
dhcpd domain paul.local
!
dhcpd address 192.168.1.20-192.168.1.100 inside
dhcpd enable inside
!
firepower#

show run nat

firepower# show run nat
!
object network Internal
 nat (inside,outside) dynamic interface
firepower#

show conn

firepower# show conn
49 in use, 448 most used

TCP inside  10.101.101.4(192.168.1.54):65152 outside  66.163.36.181:443, idle 0:04:33, bytes 12222, flags UxIO N
UDP inside  192.168.1.232:123 outside  104.232.3.3:123, idle 0:00:23, bytes 96, flags - N
--snip--

show run access-group|access-list

firepower# show run access-group
access-group CSM_FW_ACL_ global
firepower# show run access-list CSM_FW_ACL_
access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5525-1 - Default/1
access-list CSM_FW_ACL_ remark rule-id 268434434: L7 RULE: Monitor URL
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: FTD5525-1 - Default/2
access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Permit All
access-list CSM_FW_ACL_ advanced permit ip object Internal any rule-id 268434433 event-log both
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: FTD5525-1 - Default/3
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: Permit ICMP
access-list CSM_FW_ACL_ advanced permit icmp ifc outside any ifc inside any echo-reply rule-id 268435456 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: FTD5525-1 - Default/1
access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start

Conclusion

As you can see, there is still a lot of familiar territory in Firepower Threat Defense. I hope this article serves as a reminder about this feature so troubleshooting can happen quicker for those familiar with ASA CLI.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Security, Technology and tagged , . Bookmark the permalink.

8 Responses to Accessing ASA CLI in Firepower Threat Defence

  1. Aref says:

    Paul, as usual, your thread are always of a great value, thanks for sharing, it was really helpful.

    Aref

  2. Pingback: Manual URL Filtering in Firepower - PacketU

  3. Sajid says:

    Is it right that we cannot access configure mode and cannot configure box from CLI???

    • That is currently the case for FTD. Moreover, master configuration lives in Firepower Management Console. So I would think of the on-device configuration file as read only. You can see the resultant configuration and do some troubleshooting (including packet capture) from cli.

  4. Great write up. Another way to access the Lina CLI:

    > system support diagnostic-cli

  5. Abid Abdul Latif says:

    how to exist from this mode :S

Comments are closed.