在管理接口出现故障时通过数据接口添加FDM访问

简介

本文档介绍如何在管理端口出现故障时向Firepower线程防御(FTD)添加超文本传输协议(HTTP)访问。

先决条件

要求

Cisco 建议您了解以下主题：

• 通过控制台访问设备

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 思科Firepower 1120线程防御版本7.4.2

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

配置

配置

步骤1.从设备的控制台会话连接到FTD命令行界面客户端(CLISH):

Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.

Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.

Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.

Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.

KSEC-FPR1140-1# connect ftd

步骤2.从FTD CLISH，通过expert命令访问Linux shell并提升为管理员权限：

> 
> expert
admin@KSEC-FPR1140-1:/$ sudo su
Password: 
root@KSEC-FPR1140-1:/#

步骤3.使用LinaConfigTool将HTTP命令条目推送到Lina配置，并创建静态路由以将流量从Linux端运行的Web服务器发送到Lina端的nlp_int_tap接口：

root@KSEC-FPR1140-1:/# LinaConfigTool "http 192.168.1.0 255.255.255.0 inside"
root@KSEC-FPR1140-1:/# 
root@KSEC-FPR1140-1:/# ip route add 192.168.1.0/24 via 169.254.1.1
root@KSEC-FPR1140-1:/# 
root@KSEC-FPR1140-1:/# 

步骤4.返回FTD CLISH并确认网络地址转换(NAT)规则已自动创建：

root@KSEC-FPR1140-1:/# 
root@KSEC-FPR1140-1:/# 
root@KSEC-FPR1140-1:/# exit
exit
admin@KSEC-FPR1140-1:/$ exit
logout
> show nat detail
Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__http_192.168.1.0_intf4 interface  destination static 0_192.168.1.0_3 0_192.168.1.0_3 service tcp https https 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 169.254.1.3/32, Translated: 10.10.105.87/24
    Destination - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24
    Service - Protocol: tcp Real: https Mapped: https 

步骤5.在数据接口上访问FDM UI，并从UI创建数据接口上的管理访问，以使更改永久生效：

验证

打开浏览器并尝试使用数据接口IP地址访问FDM。

故障排除

执行数据包捕获并确认：

• 流量到达数据接口。
• 流量正被转发到nlp_int_tap接口。