topic Re: How to restrict access to FTD management interface. in Network Security

How to restrict access to FTD management interface.

Grzegorz86 — Tue, 21 Sep 2021 16:12:16 GMT

Hi,

I am trying to restrict SSH access to the management interface of the FTD device.

Can someone share the correct procedure?

Platform settings apply only to the data interfaces and the management interface is still accessible.

I tried applying ssh access list from CLISH but that did not work either and the device is still accessible from any IP.

  > configure ssh-access-list 10.0.0.0/8

We are running FXOS version 6.7 on FTD 2110 managed by FMC on version 7.0

Re: How to restrict access to FTD management interface.

Marvin Rhoads — Tue, 21 Sep 2021 17:36:13 GMT

That's the proper command. There was a bug with it back in 6.2.x but that should be fixed on 6.7 and 7.0

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve55973/?rfs=iqvred

I tested it on my device and it appears to work as expected (prevented me from accessing the device from a non-10.0.0.0/8 address):

Re: How to restrict access to FTD management interface.

Grzegorz86 — Tue, 21 Sep 2021 19:30:03 GMT

Hi Marvin,

Thank you for your reply.

I just did some more checks and can see that my ACL is applied. However, I have two permit any any statements at the beginning and the end of ACL. Please see redacted entries below.

show ssh-access-list
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- ---- anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- --- anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- --- anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- ---- anywhere state NEW tcp dpt:ssh
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh

How can I modify it to get rid of the any any statements?

Re: How to restrict access to FTD management interface.

Marvin Rhoads — Tue, 21 Sep 2021 20:03:48 GMT

You should be able to enter a replacement with just the networks you want:

configure ssh-access-list <entry_1>,<entry_2>,<entry_n>

That will replace the existing entries.

Re: How to restrict access to FTD management interface.

Grzegorz86 — Tue, 21 Sep 2021 21:37:10 GMT

That's what I did.
I configured acl in the format

Configure ssh-access-list 10.1.1.0/24,10.2.0.0/24,172.16.0.0/16

Unfortunately, permit any any entries are still retained.

Re: How to restrict access to FTD management interface.

Marvin Rhoads — Wed, 22 Sep 2021 12:38:44 GMT

I tested on my system it worked as I described. See my output below:

> configure ssh-access-list 10.0.0.0/8

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT     tcp  --  10.0.0.0/8           anywhere             state NEW tcp dpt:ssh
> 
> configure ssh-access-list 10.0.0.0/8,172.16.0.0/12

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT     tcp  --  10.0.0.0/8           anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  172.16.0.0/12        anywhere             state NEW tcp dpt:ssh
> 
> configure ssh-access-list 172.16.0.0/12

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT     tcp  --  172.16.0.0/12        anywhere             state NEW tcp dpt:ssh
>

Re: How to restrict access to FTD management interface.

Grzegorz86 — Wed, 22 Sep 2021 12:48:15 GMT

Thanks, Marvin

It does not work for me in production.

It works fine in the lab but I am using a different version there.

When I configure ACL it does not remove entries but just duplicates them and add to the bottom of the ACL

Another thing is I cannot even disable ssh access completely.

After issuing configure disable-ssh-access access is still there and ACL is not being removed.

It disappears from the config and ssh access is restricted as expected when I test in LAB.

I must be hitting some bug and will raise that with cisco.

Re: How to restrict access to FTD management interface.

Grzegorz86 — Thu, 30 Sep 2021 09:34:05 GMT

Hi,

I thought I will share the update for anyone who has the same issue.

Basically, we were hitting the below bug.

CSCvx71156 - access list is not working on 6.7

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx71156

Cisco TAC came up with a workaround involving logging in to expert mode, a manual edition of iptables and iptables service restart afterwards.

This fixed the problem and we were able to restrict access as required.

Re: How to restrict access to FTD management interface.

Marvin Rhoads — Thu, 30 Sep 2021 18:43:41 GMT

Thanks for the update - I hadn't encountered that bug before.