https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453655#M270216 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Need to check whether you have applied the access-list in proper direction.</P><P></P><P>E.g if you want to stop the access from outside interface then</P><P></P><P>access-group 100 in interface outside</P><P></P><P>Thanks</P></BODY></HTML> Thu, 06 Feb 2014 06:34:43 GMT vishaw jasrotia 2014-02-06T06:34:43Z https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453654#M270213 <P>I have an ASA 5510 and port 22 is open. I thought by default that it should be blocked but when I check to see if the port is open by a website (e.g., </P><P><A class="jive-link-external-small" href="http://www.yougetsignal.com/tools/open-ports" target="_blank">http://www.yougetsignal.com/tools/open-ports</A><SPAN>) it shows that it is open. I opened Ports 80, 443, and 25. I added an access list by CLI and ASDM but it still shows that port 22 is open. Here is the script #access-list 100 extended deny tcp any any eq 22 and I done the same using ASDM but substituted ssh for the port number. Does anyone know why this port is open? I saw some activity on my firewall that someone (with an IP address based in China) was trying to access my network via port 22. I think they were running a port scanner. But I have no need to have port 22 open.</SPAN></P><P>Any help would be appreciated</P><P>Thank you</P> Tue, 12 Mar 2019 03:41:10 GMT https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453654#M270213 Richard Miller 2019-03-12T03:41:10Z https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453655#M270216 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Need to check whether you have applied the access-list in proper direction.</P><P></P><P>E.g if you want to stop the access from outside interface then</P><P></P><P>access-group 100 in interface outside</P><P></P><P>Thanks</P></BODY></HTML> Thu, 06 Feb 2014 06:34:43 GMT https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453655#M270216 vishaw jasrotia 2014-02-06T06:34:43Z https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453656#M270217 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The ACLs will generally just block traffic through the ASA, not to the ASA.</P><P></P><P>In the newer softwares you have the option to build an ACL to block traffic destined to an actual ASA interface IP address</P><P></P><P><STRONG>access-group <ACL name=""> in interface <EXTERNAL interface="" name=""> control-plane</EXTERNAL></ACL></STRONG></P><P></P><P>This ACL should naturally be something used only for this purpose and not use an existing ACL.</P><P></P><P>Though regarding your SSH problem you might have enabled SSH management from behind <STRONG>"outside"</STRONG> with <STRONG>"any"</STRONG> source address</P><P></P><P><STRONG>ssh 0.0.0.0 0.0.0.0 outside</STRONG></P><P></P><P>You can check this with the command</P><P></P><P><STRONG>show run ssh</STRONG></P><P></P><P>The earlier command I mentioned overrides even the ACL setting that is used to limit connectivity to the ASA itself. So you might want to check how you SSH management setting is configured. This might be causing the results you are seeing.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 06 Feb 2014 07:17:38 GMT https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453656#M270217 Jouni Forss 2014-02-06T07:17:38Z https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453657#M270220 <HTML><HEAD></HEAD><BODY><P>Thank you Jouni, it was the ssh management that was keeping the port open. I deleted the outside interface and the port is blocked. I appreciate you help so quickly.</P><P>Thanks again</P></BODY></HTML> Thu, 06 Feb 2014 15:33:58 GMT https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453657#M270220 Richard Miller 2014-02-06T15:33:58Z https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453658#M270221 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Good to hear <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please do remember to mark a reply as the correct answer if it answered your question.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 06 Feb 2014 15:45:16 GMT https://community.cisco.com/t5/network-security/cannot-block-port-22-on-asa-5510/m-p/2453658#M270221 Jouni Forss 2014-02-06T15:45:16Z