Configuring the Management Access List
By default, you can reach the device's Firepower Device Manager web or CLI interfaces on the management address from any IP address. System access is protected by username/password only. However, you can configure an access list to allow connections from specific IP addresses or subnets only to provide another level of protection.
You can also open data interfaces to allow Firepower Device Manager or SSH connections to the CLI. You can then manage the device without using the management address. For example, you could allow management access to the outside interface, so that you can configure the device remotely. The username/password protects against unwanted connections. By default, HTTPS management access to data interfaces is enabled on the inside interface but it is disabled on the outside interface. For device models that have a default “inside” bridge group, this means that you can make Firepower Device Manager connections through any data interface within the bridge group to the bridge group IP address (default is 192.168.1.1). You can open a management connection only on the interface through which you enter the device.
If you constrain access to specific addresses, you can easily lock yourself out of the system. If you delete access for the IP address that you are currently using, and there is no entry for “any” address, you will lose access to the system when you deploy the policy. Be very careful if you decide to configure the access list.
Before you begin
You cannot configure both Firepower Device Manager access (HTTPS access) and AnyConnect remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. Because you cannot configure the port used by these features in Firepower Device Manager, you cannot configure both features on the same interface.
Click Device, then click the link.
If you are already on the System Settings page, simply click Management Access in the table of contents.
You can also configure AAA on this page to allow management access for users defined in an external AAA server. For details, see Managing FDM and FTD User Access.
To create rules for the management address:
To create rules for data interfaces: