Re: Restricting Access to FTD Management Interface

mumbles202 · ‎04-06-2023

I'm trying to restrict access to the management interface of a pair of 1150s running 7.2.0. I've run the following command:

configure ssh-access-list 8.8.8.8/32

which appears to complete successfully("The ssh access list was changed successfully." is returned) but then if I issue "show ssh-access-list" following this nothing is displayed. If I log out and back in via ssh I get the following:

> show ssh-access-list
f2b-sshd tcp -- anywhere anywhere tcp dpt:ssh
Chain f2b-sshd (1 references)

Once I try to edit the ACL again I get the same behavior described above and if I re-run the show ssh-access-list command nothing is displayed. Strangely enough, this worked fine on a pair of 1140s running the same code.

balaji.bandi · ‎04-06-2023

is this managed by FMC or FDM ?

configure ssh-access-list 8.8.8.8/32 <-- Hope 8.8.8.8 dummy one, if you do this only 8.8.8.8 can access rest will be denied. (bare in mind before you issue that command)

try :

> show running-config ssh

Note: since you confirmed the old version working 7.2 has an issue, may syntax change or could be a bug, I have not tested myself n 7.2 - 7.0 works as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mumbles202 · ‎04-11-2023

This pair of 1150s is managed by the same FMC that manages the 1140 that took the commands successfully.

Gustavo Medina · ‎04-11-2023

Maybe iptables is corrupt... can you show me the iptables file?

/ngfw/etc/sysconfig# cat iptables

mumbles202 · ‎04-12-2023

When I do that I get this:

admin@ftd-02:/ngfw/etc/sysconfig$ cat iptables
admin@ftd-02:/ngfw/etc/sysconfig$

Gustavo Medina · ‎04-12-2023

I see... can you share the same from the working 1140?