Solved: Unable to Access FP console after removing access list.

hrithiktej · ‎12-22-2017

Hi All,

Need help on resolving this.

We setup new virtual FMC and under system>configuration in > Access List we had Any under host and 443, 22 under ports for some reason one of our admin removed Any Any entries and added a specific machine to Access list and then removed that as well and post which we are not able to access the console nor take SSH of FMC.

I have access to VM console of this box and need help in setting up FMC access back to any host on port 443 and 22.

hrithiktej · ‎01-01-2018

Hi Support helped me out.

following was done to resolve this issue

Once you login to FMC Console, elevate to root mode by typing “sudu su - “ it will prompt for the password.

Then do cd /etc/sysconfig/ and then cat iptables.

Check if you have an exact same lines shown below:

#start SSL SSH SNMP PORTS INPUT BLOCK

-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -m recent --update --seconds 10 --hitcount 15 --name slowloris --rsource -j DROP

-A INPUT -i eth0 -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 25 --connlimit-mask 32 -j DROP

-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT

-A INPUT -i eth0 -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT

#stop SSL SSH SNMP PORTS INPUT BLOCK

If these lines are not there then do “vim iptables” and add the exact same lines. This should fix the issue.

View solution in original post

mikael.lahtela · ‎12-27-2017

Hi,

Contact Cisco TAC to see if they can help you resolve it.
They probably have some expert commands to fix that.

br, Micke

hrithiktej · ‎12-27-2017

Yes i will do that, any idea why show commands and other command dont work for FIRPOWER is there a shell for firepower i need to switch to to run these commands

hrithiktej · ‎01-01-2018