Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4484
Views
0
Helpful
2
Replies

FMC access list

dkcowboy
Level 1
Level 1

‎12-06-2017 10:10 AM - edited ‎02-21-2020 06:55 AM

hi

I'running Cisco FMC on VMware, what I did was in the GUI in the The Access List,
removed any, replaced with my LAN ip subnet as source for:

    443 (HTTPS)—Used for web interface access.

    22 (SSH)—Used for command line access.


"By default, access is not restricted. To operate in a more secure environment, consider adding access for specific IP addresses and then deleting the default any option. "

I did that!

Now I can't get access via my LAN to tcp:443 og tcp:22, I only have console access in VMware, I can login to Cisco Fire Linux prompt, admin@firepower:$

But how do I insert an any rule to get my ssh/https access back again ?

How do I get out of Linux mode $ to configure access rule ?

4 people had this problem
Labels:
0 Helpful
2 Replies 2

pagrawa2
Cisco Employee
Cisco Employee

‎01-29-2019 01:09 AM

iptables will need to be corrected from the cli access.

Please contact TAC to fix the issue and do not attempt to make any change to iptables.

0 Helpful

nehmaan123
Level 1
Level 1

‎03-19-2019 01:44 PM

I know it's a bit late but recently I've had a similar problem. This was my fix:

 

1) Initially I deleted all the contents in "/etc/sysconfig/iptables" and reloaded the FMC just for testing purposes. Outputs below but yours would have included some info. 

 

admin@FMC-1:~$ sudo iptables-save
Password:
# Generated by iptables-save v1.4.20 on Tue Mar 19 20:06:58 2019
*filter
:INPUT ACCEPT [317006:200566441]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [316311:174050600]
COMMIT
# Completed on Tue Mar 19 20:06:58 2019
admin@FMC-1:~$ sudo -i
root@FMC-1:~# cat /etc/sysconfig/iptables
****nothing here, It's all empty****

 

Thankfully it boots up with "INPUT ACCEPT" otherwise we'd have no access.
In order to fix this, I needed to restore the "/etc/sysconfig/iptables" config.
Making changes via the web UI will do nothing to fix this issue.

 

2) Locate original files and copy to "/etc/sysconfig/iptables".

locate iptables | more
/var/log/sf/Cisco_Firepower_Mgmt_Center_Upgrade-6.3.0/etc.before/sysconfig/iptables

 

note: You might need to run "updatedb" before you use the "locate" command.
note: We are looking for "etc.before/sysconfig/iptables" as this is the original file.

 

I am are running version 6.3.0 so this is the correct file path and file.

 

3) cp /var/log/sf/Cisco_Firepower_Mgmt_Center_Upgrade-6.3.0/etc.before/sysconfig/iptables /etc/sysconfig/iptables

4) restore default config: iptables-restore < /etc/sysconfig/iptables

 

note: This is a live command so ensure your "INPUT" chain commands would allow access to TCP/22 with any source IP at a minimum. The default config includes this so shouldn't be a problem.

 

5) Now you can go into your web UI, Add a single /32 IP which will then populate the entire iptables config and restore to however you want it. Run "iptables -nvL" to check the output or "iptables-save" to get a print out of the live iptables config.

 

6) Rebooted FMC in the lab and iptables are restored on startup. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card