FMC access list

dkcowboy — Fri, 21 Feb 2020 14:55:01 GMT

hi

I'running Cisco FMC on VMware, what I did was in the GUI in the The Access List,
removed any, replaced with my LAN ip subnet as source for:

443 (HTTPS)—Used for web interface access.

22 (SSH)—Used for command line access.

"By default, access is not restricted. To operate in a more secure environment, consider adding access for specific IP addresses and then deleting the default any option. "

I did that!

Now I can't get access via my LAN to tcp:443 og tcp:22, I only have console access in VMware, I can login to Cisco Fire Linux prompt, admin@firepower:$

But how do I insert an any rule to get my ssh/https access back again ?

How do I get out of Linux mode $ to configure access rule ?

Re: FMC access list

pagrawa2 — Tue, 29 Jan 2019 09:09:54 GMT

iptables will need to be corrected from the cli access.

Please contact TAC to fix the issue and do not attempt to make any change to iptables.

Re: FMC access list

nehmaan123 — Tue, 19 Mar 2019 20:44:30 GMT

I know it's a bit late but recently I've had a similar problem. This was my fix:

1) Initially I deleted all the contents in "/etc/sysconfig/iptables" and reloaded the FMC just for testing purposes. Outputs below but yours would have included some info.

admin@FMC-1:~$ sudo iptables-save
Password:
# Generated by iptables-save v1.4.20 on Tue Mar 19 20:06:58 2019
*filter
:INPUT ACCEPT [317006:200566441]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [316311:174050600]
COMMIT
# Completed on Tue Mar 19 20:06:58 2019
admin@FMC-1:~$ sudo -i
root@FMC-1:~# cat /etc/sysconfig/iptables
****nothing here, It's all empty****

Thankfully it boots up with "INPUT ACCEPT" otherwise we'd have no access.
In order to fix this, I needed to restore the "/etc/sysconfig/iptables" config.
Making changes via the web UI will do nothing to fix this issue.

2) Locate original files and copy to "/etc/sysconfig/iptables".

locate iptables | more
/var/log/sf/Cisco_Firepower_Mgmt_Center_Upgrade-6.3.0/etc.before/sysconfig/iptables

note: You might need to run "updatedb" before you use the "locate" command.
note: We are looking for "etc.before/sysconfig/iptables" as this is the original file.

I am are running version 6.3.0 so this is the correct file path and file.

3) cp /var/log/sf/Cisco_Firepower_Mgmt_Center_Upgrade-6.3.0/etc.before/sysconfig/iptables /etc/sysconfig/iptables

4) restore default config: iptables-restore < /etc/sysconfig/iptables

note: This is a live command so ensure your "INPUT" chain commands would allow access to TCP/22 with any source IP at a minimum. The default config includes this so shouldn't be a problem.

5) Now you can go into your web UI, Add a single /32 IP which will then populate the entire iptables config and restore to however you want it. Run "iptables -nvL" to check the output or "iptables-save" to get a print out of the live iptables config.

6) Rebooted FMC in the lab and iptables are restored on startup.

topic FMC access list in Network Security

FMC access list

Re: FMC access list

Re: FMC access list