12-22-2017 04:39 AM - edited 02-21-2020 07:01 AM
Hi All,
Need help on resolving this.
We setup new virtual FMC and under system>configuration in > Access List we had Any under host and 443, 22 under ports for some reason one of our admin removed Any Any entries and added a specific machine to Access list and then removed that as well and post which we are not able to access the console nor take SSH of FMC.
I have access to VM console of this box and need help in setting up FMC access back to any host on port 443 and 22.
Solved! Go to Solution.
01-01-2018 01:26 AM
Hi Support helped me out.
following was done to resolve this issue
Once you login to FMC Console, elevate to root mode by typing “sudu su - “ it will prompt for the password.
Then do cd /etc/sysconfig/ and then cat iptables.
Check if you have an exact same lines shown below:
#start SSL SSH SNMP PORTS INPUT BLOCK
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 10 --hitcount 15 --name slowloris --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 25 --connlimit-mask 32 -j DROP
-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#stop SSL SSH SNMP PORTS INPUT BLOCK
If these lines are not there then do “vim iptables” and add the exact same lines. This should fix the issue.
12-27-2017 03:00 AM
12-27-2017 04:13 AM
Yes i will do that, any idea why show commands and other command dont work for FIRPOWER is there a shell for firepower i need to switch to to run these commands
01-01-2018 01:26 AM
Hi Support helped me out.
following was done to resolve this issue
Once you login to FMC Console, elevate to root mode by typing “sudu su - “ it will prompt for the password.
Then do cd /etc/sysconfig/ and then cat iptables.
Check if you have an exact same lines shown below:
#start SSL SSH SNMP PORTS INPUT BLOCK
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 10 --hitcount 15 --name slowloris --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 25 --connlimit-mask 32 -j DROP
-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#stop SSL SSH SNMP PORTS INPUT BLOCK
If these lines are not there then do “vim iptables” and add the exact same lines. This should fix the issue.
01-01-2018 06:41 AM
Thanks for sharing the solution. That's a helpful one for sure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide